Created
January 15, 2019 13:12
-
-
Save dLobatog/43d333c935c1c804b8e135f3886a9cd3 to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US" style="SCAP_1.2"> | |
| <status date="2018-07-25">draft</status> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Fedora</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant | |
| configuration settings for Fedora. It is a rendering of | |
| content structured in the eXtensible Configuration Checklist Description Format (XCCDF) | |
| in order to support security automation. The SCAP content is | |
| is available in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">scap-security-guide</html:code> package which is developed at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Providing system administrators with such guidance informs them how to securely | |
| configure systems under their control in a variety of network roles. Policy | |
| makers and baseline creators can use this catalog of settings, with its | |
| associated references to higher-level security control catalogs, in order to | |
| assist them in security baseline creation. This guide is a <html:em xmlns:html="http://www.w3.org/1999/xhtml">catalog, not a | |
| checklist</html:em>, and satisfaction of every item is not likely to be possible or | |
| sensible in many operational scenarios. However, the XCCDF format enables | |
| granular selection and adjustment of settings, and their association with OVAL | |
| and OCIL content provides an automated checking capability. Transformations of | |
| this document, and its associated automated checking content, are capable of | |
| providing baselines that meet a diverse set of policy objectives. Some example | |
| XCCDF <html:em xmlns:html="http://www.w3.org/1999/xhtml">Profiles</html:em>, which are selections of items that form checklists and | |
| can be used as baselines, are available with this guide. They can be | |
| processed, in an automated fashion, with tools that support the Security | |
| Content Automation Protocol (SCAP). The DISA STIG for Fedora, | |
| which provides required settings for US Department of Defense systems, is | |
| one example of a baseline created from this guidance. | |
| </description> | |
| <notice xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in | |
| this guide without first testing them in a non-operational environment. The | |
| creators of this guidance assume no responsibility whatsoever for its use by | |
| other parties, and makes no guarantees, expressed or implied, about its | |
| quality, reliability, or any other characteristic. | |
| </notice> | |
| <front-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SCAP Security Guide Project<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a> | |
| </front-matter> | |
| <rear-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Red Hat and Red Hat Enterprise Linux are either registered | |
| trademarks or trademarks of Red Hat, Inc. in the United States and other | |
| countries. All other names are registered trademarks or trademarks of their | |
| respective companies. | |
| </rear-matter> | |
| <platform idref="cpe:/o:fedoraproject:fedora:28"/> | |
| <platform idref="cpe:/o:fedoraproject:fedora:27"/> | |
| <platform idref="cpe:/o:fedoraproject:fedora:26"/> | |
| <platform idref="cpe:/o:fedoraproject:fedora:25"/> | |
| <version update="https://github.com/OpenSCAP/scap-security-guide/releases/latest">0.1.40</version> | |
| <metadata xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
| <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:publisher> | |
| <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:creator> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank J Cameron (CAM1244) <cameron@ctc.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">0x66656c6978 <0x66656c6978@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gabe Alford <redhatrises@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Firas AlShafei <firas.alshafei@us.abb.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Christopher Anderson <cba@fedoraproject.org></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chuck Atkins <chuck.atkins@kitware.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ryan Ballanger <root@rballang-admin-2.fastenal.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alex Baranowski <alex@euro-linux.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Molly Jo Bault <Molly.Jo.Bault@ballardtech.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alexander Bergmann <abergmann@suse.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jose Luis BG <bgjoseluis@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joseph Bisch <joseph.bisch@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeffrey Blank <blank@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Olivier Bonhomme <ptitoliv@ptitoliv.net></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ted Brunell <tbrunell@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Blake Burkhart <blake.burkhart@us.af.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Patrick Callahan <pmc@patrickcallahan.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Nick Carboni <ncarboni@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">James Cassell <james.cassell@ll.mit.edu></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Caviggia <fcaviggi@ra.iad.redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Eric Christensen <echriste@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Caleb Cooper <coopercd@ornl.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Deric Crago <deric.crago@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Maura Dailey <maura@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Klaas Demter <demter@atix.de></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">drax <applezip@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Greg Elin <gregelin@gitmachines.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Leah Fisher <lfisher047@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Andrew Gilmore <agilmore2@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Glemza <jglemza@nasa.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Loren Gordon <lorengordon@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Steve Grubb <sgrubb@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Marek Haicman <mhaicman@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rebekah Hayes <rhayes@corp.rivierautilities.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Trey Henefield <thenefield@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">hex2a <hex2a@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">John Hooks <jhooks@starscream.pa.jhbcomputers.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Robin Price II <robin@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeremiah Jahn <jeremiah@goodinassociates.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Stephan Joerrens <Stephan.Joerrens@fiduciagad.de></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kai Kang <kai.kang@windriver.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Charles Kernstock <charles.kernstock@ultra-ats.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Peter 'Pessoft' Kolínek <github@pessoft.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Luke Kordell <luke.t.kordell@lmco.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">kspargur <kspargur@kspargur.csb></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Fen Labalme <fen@civicactions.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ian Lee <lee1001@llnl.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan Lieskovsky <jlieskov@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Šimon Lukašík <slukasik@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Milan Lysonek <mlysonek@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Fredrik Lysén <fredrik@pipemore.se></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matus Marhefka <mmarhefk@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jamie Lorwey Martin <jlmartin@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael McConachie <michael@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Khary Mendez <kharyam@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rodney Mercer <rmercer@harris.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matt Micene <nzwulfin@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Brian Millett <bmillett@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">mmosel <mmosel@kde.example.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Zbynek Moravec <zmoravec@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kazuo Moriwaka <moriwaka@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Moseley <michael@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joe Nall <joe@nall.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Neiloy <neiloy@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michele Newman <mnewman@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Sean O'Keeffe <seanokeeffe797@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ilya Okomin <ilya.okomin@oracle.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kaustubh Padegaonkar <theTuxRacer@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Palmiotto <mpalmiotto@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Max R.D. Parmer <maxp@trystero.is></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">pcactr <paul.c.arnold4.ctr@mail.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Peeples <kennethwpeeples@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Nathan Peters <Nathaniel.Peters@ca.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Lin PIAT <fpiat@klabs.be></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Stefan Pietsch <mail.ipv4v6+gh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Martin Preisler <mpreisle@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Wesley Ceraso Prudencio <wcerasop@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Raphael Sanchez Prudencio <rsprudencio@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">T.O. Radzy Radzykewycz <radzy@windriver.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenyon Ralph <kenyon@kenyonralph.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rick Renshaw <Richard_Renshaw@xtoenergy.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chris Reynolds <c.reynolds82@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Pat Riehecky <riehecky@fnal.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">rlucente-se-jboss <rlucente@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Roys <roysjosh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">rrenshaw <bofh69@yahoo.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chris Ruffalo <chris.ruffalo@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Willy Santos <wsantos@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gautam Satish <gautams@hpe.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Watson Sato <wsato@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Satoru SATOH <satoru.satoh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alexander Scheel <ascheel@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Spencer Shimko <sshimko@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Thomas Sjögren <konstruktoid@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Francisco Slavin <fslavin@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">David Smith <dsmith@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Spargur <kspargur@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Stailey <kstailey.lists@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Leland Steinke <leland.j.steinke.ctr@mail.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Brian Stinson <brian@bstinson.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Philippe Thierry <phil@reseau-libre.net></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Paul Tittle <ptittle@cmf.nrl.navy.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeb Trayer <jeb.d.trayer@uscg.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matěj Týč <matyc@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">VadimDor <29509093+VadimDor@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Shawn Wells <shawn@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Roy Williams <roywilli@roywilli.redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rob Wilmoth <rwilmoth@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Lucas Yamanishi <lucas.yamanishi@onyxpoint.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui Yang <xirui.yang@oracle.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Zimmerman <kevin.zimmerman@kitware.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan Černý <jcerny@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michal Šrubař <msrubar@redhat.com></dc:contributor> | |
| <dc:source xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | |
| </metadata> | |
| <model system="urn:xccdf:scoring:default"/> | |
| <Profile id="xccdf_org.ssgproject.content_profile_standard"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Standard System Security Profile for Fedora</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains rules to ensure standard security baseline of a Fedora system. | |
| Regardless of your system's workload all of these checks should pass.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_unique_name" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_nousb_argument.rule" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub2" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/> | |
| </Profile> | |
| <Group id="xccdf_org.ssgproject.content_group_remediation_functions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation functions used by the SCAP Security Guide Project</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_function_package_install" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function package_install</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # package_install aide | |
| # | |
| function package_install { | |
| # Load function arguments into local variables | |
| local package="$1" | |
| # Check sanity of the input | |
| if [ $# -ne "1" ] | |
| then | |
| echo "Usage: package_install 'package_name'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| if which dnf ; then | |
| if ! rpm -q --quiet "$package"; then | |
| dnf install -y "$package" | |
| fi | |
| elif which yum ; then | |
| if ! rpm -q --quiet "$package"; then | |
| yum install -y "$package" | |
| fi | |
| elif which apt-get ; then | |
| apt-get install -y "$package" | |
| else | |
| echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function fix_audit_watch_rule</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix audit file system object watch rule for given path: | |
| # * if rule exists, also verifies the -w bits match the requirements | |
| # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect | |
| # audit rules file, depending on the tool which was used to load audit rules | |
| # | |
| # Expects four arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules' | |
| # * path value of -w audit rule's argument | |
| # * required access bits value of -p audit rule's argument | |
| # * key value of -k audit rule's argument | |
| # | |
| # Example call: | |
| # | |
| # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" | |
| # | |
| function fix_audit_watch_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local path="$2" | |
| local required_access_bits="$3" | |
| local key="$4" | |
| # Check sanity of the input | |
| if [ $# -ne "4" ] | |
| then | |
| echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| declare -a files_to_inspect | |
| # Check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| exit 1 | |
| # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # into the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') | |
| # If the audit is 'augenrules', then check if rule is already defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. | |
| # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Case when particular audit rule is already defined in some of /etc/audit/rules.d/*.rules file | |
| # Get pair -- filepath : matching_row into @matches array | |
| IFS=$'\n' matches=($(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)) | |
| # Reset IFS back to default | |
| unset IFS | |
| # For each of the matched entries | |
| for match in "${matches[@]}" | |
| do | |
| # Extract filepath from the match | |
| rulesd_audit_file=$(echo $match | cut -f1 -d ':') | |
| # Append that path into list of files for inspection | |
| files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") | |
| done | |
| # Case when particular audit rule isn't defined yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| # If the $key.rules file doesn't exist yet, create it with correct permissions | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # Finally perform the inspection and possible subsequent audit rule | |
| # correction for each of the files previously identified for inspection | |
| for audit_rules_file in "${files_to_inspect[@]}" | |
| do | |
| # Check if audit watch file system object rule for given path already present | |
| if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file" | |
| then | |
| # Rule is found => verify yet if existing rule definition contains | |
| # all of the required access type bits | |
| # Escape slashes in path for use in sed pattern below | |
| local esc_path=${path//$'/'/$'\/'} | |
| # Define BRE whitespace class shortcut | |
| local sp="[[:space:]]" | |
| # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule | |
| current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file") | |
| # Split required access bits string into characters array | |
| # (to check bit's presence for one bit at a time) | |
| for access_bit in $(echo "$required_access_bits" | grep -o .) | |
| do | |
| # For each from the required access bits (e.g. 'w', 'a') check | |
| # if they are already present in current access bits for rule. | |
| # If not, append that bit at the end | |
| if ! grep -q "$access_bit" <<< "$current_access_bits" | |
| then | |
| # Concatenate the existing mask with the missing bit | |
| current_access_bits="$current_access_bits$access_bit" | |
| fi | |
| done | |
| # Propagate the updated rule's access bits (original + the required | |
| # ones) back into the /etc/audit/audit.rules file for that rule | |
| sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file" | |
| else | |
| # Rule isn't present yet. Append it at the end of $audit_rules_file file | |
| # with proper key | |
| echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix syscall audit rule for given system call. It is | |
| # based on example audit syscall rule definitions as outlined in | |
| # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit | |
| # package. It will combine multiple system calls belonging to the same | |
| # syscall group into one audit rule (rather than to create audit rule per | |
| # different system call) to avoid audit infrastructure performance penalty | |
| # in the case of 'one-audit-rule-definition-per-one-system-call'. See: | |
| # | |
| # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | |
| # | |
| # for further details. | |
| # | |
| # Expects five arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules | |
| # * audit rules' pattern audit rule skeleton for same syscall | |
| # * syscall group greatest common string this rule shares | |
| # with other rules from the same group | |
| # * architecture architecture this rule is intended for | |
| # * full form of new rule to add expected full form of audit rule as to be | |
| # added into audit.rules file | |
| # | |
| # Note: The 2-th up to 4-th arguments are used to determine how many existing | |
| # audit rules will be inspected for resemblance with the new audit rule | |
| # (5-th argument) the function is going to add. The rule's similarity check | |
| # is performed to optimize audit.rules definition (merge syscalls of the same | |
| # group into one rule) to avoid the "single-syscall-per-audit-rule" performance | |
| # penalty. | |
| # | |
| # Example call: | |
| # | |
| # See e.g. 'audit_rules_file_deletion_events.sh' remediation script | |
| # | |
| function fix_audit_syscall_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local pattern="$2" | |
| local group="$3" | |
| local arch="$4" | |
| local full_rule="$5" | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # | |
| declare -a files_to_inspect | |
| retval=0 | |
| # First check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| return 1 | |
| # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # file to the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) | |
| # If audit tool is 'augenrules', then check if the audit rule is defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection | |
| # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Extract audit $key from audit rule so we can use it later | |
| key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') | |
| # Check if particular audit rule is already defined | |
| IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| for match in "${matches[@]}" | |
| do | |
| files_to_inspect=("${files_to_inspect[@]}" "${match}") | |
| done | |
| # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # | |
| # Indicator that we want to append $full_rule into $audit_file by default | |
| local append_expected_rule=0 | |
| for audit_file in "${files_to_inspect[@]}" | |
| do | |
| # Filter existing $audit_file rules' definitions to select those that: | |
| # * follow the rule pattern, and | |
| # * meet the hardware architecture requirement, and | |
| # * are current syscall group specific | |
| IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| # Process rules found case-by-case | |
| for rule in "${existing_rules[@]}" | |
| do | |
| # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) | |
| if [ "${rule}" != "${full_rule}" ] | |
| then | |
| # If so, isolate just '(-S \w)+' substring of that rule | |
| rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') | |
| # Check if list of '-S syscall' arguments of that rule is subset | |
| # of '-S syscall' list of expected $full_rule | |
| if grep -q -- "$rule_syscalls" <<< "$full_rule" | |
| then | |
| # Rule is covered (i.e. the list of -S syscalls for this rule is | |
| # subset of -S syscalls of $full_rule => existing rule can be deleted | |
| # Thus delete the rule from audit.rules & our array | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| existing_rules=("${existing_rules[@]//$rule/}") | |
| else | |
| # Rule isn't covered by $full_rule - it besides -S syscall arguments | |
| # for this group contains also -S syscall arguments for other syscall | |
| # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' | |
| # since 'lchown' & 'fchownat' share 'chown' substring | |
| # Therefore: | |
| # * 1) delete the original rule from audit.rules | |
| # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) | |
| # * 2) delete the -S syscall arguments for this syscall group, but | |
| # keep those not belonging to this syscall group | |
| # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' | |
| # * 3) append the modified (filtered) rule again into audit.rules | |
| # if the same rule not already present | |
| # | |
| # 1) Delete the original rule | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # 2) Delete syscalls for this group, but keep those from other groups | |
| # Convert current rule syscall's string into array splitting by '-S' delimiter | |
| IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" | |
| # Reset IFS back to default | |
| unset IFS | |
| # Declare new empty string to hold '-S syscall' arguments from other groups | |
| new_syscalls_for_rule='' | |
| # Walk through existing '-S syscall' arguments | |
| for syscall_arg in "${rule_syscalls_as_array[@]}" | |
| do | |
| # Skip empty $syscall_arg values | |
| if [ "$syscall_arg" == '' ] | |
| then | |
| continue | |
| fi | |
| # If the '-S syscall' doesn't belong to current group add it to the new list | |
| # (together with adding '-S' delimiter back for each of such item found) | |
| if grep -q -v -- "$group" <<< "$syscall_arg" | |
| then | |
| new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" | |
| fi | |
| done | |
| # Replace original '-S syscall' list with the new one for this rule | |
| updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} | |
| # Squeeze repeated whitespace characters in rule definition (if any) into one | |
| updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') | |
| # 3) Append the modified / filtered rule again into audit.rules | |
| # (but only in case it's not present yet to prevent duplicate definitions) | |
| if ! grep -q -- "$updated_rule" "$audit_file" | |
| then | |
| echo "$updated_rule" >> "$audit_file" | |
| fi | |
| fi | |
| else | |
| # $audit_file already contains the expected rule form for this | |
| # architecture & key => don't insert it second time | |
| append_expected_rule=1 | |
| fi | |
| done | |
| # We deleted all rules that were subset of the expected one for this arch & key. | |
| # Also isolated rules containing system calls not from this system calls group. | |
| # Now append the expected rule if it's not present in $audit_file yet | |
| if [[ ${append_expected_rule} -eq "0" ]] | |
| then | |
| echo "$full_rule" >> "$audit_file" | |
| fi | |
| done | |
| return $retval | |
| } | |
| # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit | |
| # system calls on Red Hat Enterprise Linux 7 or Fedora OSes | |
| function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { | |
| # Retrieve hardware architecture of the underlying system | |
| [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") | |
| for ARCH in "${RULE_ARCHS[@]}" | |
| do | |
| PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" | |
| # Create expected audit group and audit rule form for particular system call & architecture | |
| if [ ${ARCH} = "b32" ] | |
| then | |
| # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) | |
| # so append it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\|stime\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" | |
| elif [ ${ARCH} = "b64" ] | |
| then | |
| # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) | |
| # therefore don't add it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" | |
| fi | |
| # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' | |
| fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" | |
| fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_replace_or_append" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function replace_or_append</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting in config file or add the configuration setting if | |
| # it does not exist. | |
| # | |
| # Expects arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists | |
| # format: The printf-like format string that will be given stripped key and value as arguments, | |
| # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) | |
| # | |
| # Optional arugments: | |
| # | |
| # format: Optional argument to specify the format of how key/value should be | |
| # modified/appended in the configuration file. The default is key = value. | |
| # | |
| # Example Call(s): | |
| # | |
| # With default format of 'key = value': | |
| # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' | |
| # | |
| # With custom key/value format: | |
| # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' | |
| # | |
| # With a variable: | |
| # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' | |
| # | |
| function replace_or_append { | |
| local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' | |
| local config_file=$1 | |
| local key=$2 | |
| local value=$3 | |
| local cce=$4 | |
| local format=$5 | |
| if [ "$case_insensitive_mode" = yes ]; then | |
| sed_case_insensitive_option="i" | |
| grep_case_insensitive_option="-i" | |
| fi | |
| [ -n "$format" ] || format="$default_format" | |
| # Check sanity of the input | |
| [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } | |
| # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. | |
| # Otherwise, regular sed command will do. | |
| sed_command=('sed' '-i') | |
| if test -L "$config_file"; then | |
| sed_command+=('--follow-symlinks') | |
| fi | |
| # Test that the cce arg is not empty or does not equal @CCENUM@. | |
| # If @CCENUM@ exists, it means that there is no CCE assigned. | |
| if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then | |
| cce="CCE-${cce}" | |
| else | |
| cce="CCE" | |
| fi | |
| # Strip any search characters in the key arg so that the key can be replaced without | |
| # adding any search characters to the config file. | |
| stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") | |
| # shellcheck disable=SC2059 | |
| printf -v formatted_output "$format" "$stripped_key" "$value" | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| # We search for the key string followed by a word boundary (matched by \>), | |
| # so if we search for 'setting', 'setting2' won't match. | |
| if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then | |
| "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" | |
| else | |
| # \n is precaution for case where file ends without trailing newline | |
| printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" | |
| printf '%s\n' "$formatted_output" >> "$config_file" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_firefox_cfg_setting" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function firefox_cfg_setting</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the | |
| # preference if it does not exist. | |
| # | |
| # Expects three arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # | |
| # | |
| # Example Call(s): | |
| # | |
| # Without string or variable: | |
| # firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false" | |
| # | |
| # With string: | |
| # firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\"" | |
| # | |
| # With a string variable: | |
| # firefox_cfg_setting "stig.cfg" "browser.startup.homepage\" "\"${var_default_home_page}\"" | |
| # | |
| function firefox_cfg_setting { | |
| local firefox_cfg=$1 | |
| local key=$2 | |
| local value=$3 | |
| local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" | |
| # Check sanity of input | |
| if [ $# -lt "3" ] | |
| then | |
| echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'" | |
| echo | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check the possible Firefox install directories | |
| for firefox_dir in ${firefox_dirs}; do | |
| # If the Firefox directory exists, then Firefox is installed | |
| if [ -d "${firefox_dir}" ]; then | |
| # Make sure the Firefox .cfg file exists and has the appropriate permissions | |
| if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then | |
| touch "${firefox_dir}/${firefox_cfg}" | |
| chmod 644 "${firefox_dir}/${firefox_cfg}" | |
| fi | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then | |
| sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}" | |
| else | |
| echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}" | |
| fi | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_die" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function die</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Print a message to stderr and exit the shell | |
| # $1: The message to print. | |
| # $2: The error code (optional, default is 1) | |
| function die { | |
| local _message="$1" _rc="${2:-1}" | |
| printf '%s\n' "$_message" >&2 | |
| exit "$_rc" | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_populate" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function populate</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># The populate function isn't directly used by SSG at the moment but it can be | |
| # used for testing purposes and will be used in SSG Testsuite in the future. | |
| function populate { | |
| # code to populate environment variables needed (for unit testing) | |
| if [ -z "${!1}" ]; then | |
| echo "$1 is not defined. Exiting." | |
| exit | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_service_command" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function service_command</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to enable/disable and start/stop services on RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # service_command enable bluetooth | |
| # service_command disable bluetooth.service | |
| # | |
| # Using xinetd: | |
| # service_command disable rsh.socket xinetd=rsh | |
| # | |
| function service_command { | |
| # Load function arguments into local variables | |
| local service_state=$1 | |
| local service=$2 | |
| local xinetd=$(echo $3 | cut -d'=' -f2) | |
| # Check sanity of the input | |
| if [ $# -lt "2" ] | |
| then | |
| echo "Usage: service_command 'enable/disable' 'service_name.service'" | |
| echo | |
| echo "To enable or disable xinetd services add \'xinetd=service_name\'" | |
| echo "as the last argument" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands | |
| if [ -f "/usr/bin/systemctl" ] ; then | |
| service_util="/usr/bin/systemctl" | |
| else | |
| service_util="/sbin/service" | |
| chkconfig_util="/sbin/chkconfig" | |
| fi | |
| # If disable is not specified in arg1, set variables to enable services. | |
| # Otherwise, variables are to be set to disable services. | |
| if [ "$service_state" != 'disable' ] ; then | |
| service_state="enable" | |
| service_operation="start" | |
| chkconfig_state="on" | |
| else | |
| service_state="disable" | |
| service_operation="stop" | |
| chkconfig_state="off" | |
| fi | |
| # If chkconfig_util is not empty, use chkconfig/service commands. | |
| if [ "x$chkconfig_util" != x ] ; then | |
| $service_util $service $service_operation | |
| $chkconfig_util --level 0123456 $service $chkconfig_state | |
| else | |
| $service_util $service_operation $service | |
| $service_util $service_state $service | |
| # The service may not be running because it has been started and failed, | |
| # so let's reset the state so OVAL checks pass. | |
| # Service should be 'inactive', not 'failed' after reboot though. | |
| $service_util reset-failed $service | |
| fi | |
| # Test if local variable xinetd is empty using non-bashism. | |
| # If empty, then xinetd is not being used. | |
| if [ "x$xinetd" != x ] ; then | |
| grep -qi disable /etc/xinetd.d/$xinetd && \ | |
| if [ "$service_operation" = 'disable' ] ; then | |
| sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd | |
| else | |
| sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd | |
| fi | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_rhel7_ensure_there_are_servers_in_ntp_compatible_config_file" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function rhel7_ensure_there_are_servers_in_ntp_compatible_config_file</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function ensures that the ntp/chrony config file contains valid server entries | |
| # $1: Path to the config file | |
| # $2: Comma-separated list of servers | |
| function rhel7_ensure_there_are_servers_in_ntp_compatible_config_file { | |
| # If invoked with no arguments, exit. This is an intentional behavior. | |
| [ $# -gt 1 ] || return 0 | |
| [ $# = 2 ] || die "$0 requires zero or exactly two arguments" | |
| local _config_file="$1" _servers_list="$2" | |
| if ! grep -q '#[[:space:]]*server' "$_config_file"; then | |
| for server in $(echo "$_servers_list" | tr ',' '\n') ; do | |
| printf '\nserver %s iburst' "$server" >> "$_config_file" | |
| done | |
| else | |
| sed -i 's/#[ \t]*server/server/g' "$_config_file" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_fix_audit_syscall_rule" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function fix_audit_syscall_rule</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix syscall audit rule for given system call. It is | |
| # based on example audit syscall rule definitions as outlined in | |
| # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit | |
| # package. It will combine multiple system calls belonging to the same | |
| # syscall group into one audit rule (rather than to create audit rule per | |
| # different system call) to avoid audit infrastructure performance penalty | |
| # in the case of 'one-audit-rule-definition-per-one-system-call'. See: | |
| # | |
| # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | |
| # | |
| # for further details. | |
| # | |
| # Expects five arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules | |
| # * audit rules' pattern audit rule skeleton for same syscall | |
| # * syscall group greatest common string this rule shares | |
| # with other rules from the same group | |
| # * architecture architecture this rule is intended for | |
| # * full form of new rule to add expected full form of audit rule as to be | |
| # added into audit.rules file | |
| # | |
| # Note: The 2-th up to 4-th arguments are used to determine how many existing | |
| # audit rules will be inspected for resemblance with the new audit rule | |
| # (5-th argument) the function is going to add. The rule's similarity check | |
| # is performed to optimize audit.rules definition (merge syscalls of the same | |
| # group into one rule) to avoid the "single-syscall-per-audit-rule" performance | |
| # penalty. | |
| # | |
| # Example call: | |
| # | |
| # See e.g. 'audit_rules_file_deletion_events.sh' remediation script | |
| # | |
| function fix_audit_syscall_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local pattern="$2" | |
| local group="$3" | |
| local arch="$4" | |
| local full_rule="$5" | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # | |
| declare -a files_to_inspect | |
| retval=0 | |
| # First check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| return 1 | |
| # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # file to the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) | |
| # If audit tool is 'augenrules', then check if the audit rule is defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection | |
| # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Extract audit $key from audit rule so we can use it later | |
| key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') | |
| # Check if particular audit rule is already defined | |
| IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| for match in "${matches[@]}" | |
| do | |
| files_to_inspect=("${files_to_inspect[@]}" "${match}") | |
| done | |
| # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # | |
| # Indicator that we want to append $full_rule into $audit_file by default | |
| local append_expected_rule=0 | |
| for audit_file in "${files_to_inspect[@]}" | |
| do | |
| # Filter existing $audit_file rules' definitions to select those that: | |
| # * follow the rule pattern, and | |
| # * meet the hardware architecture requirement, and | |
| # * are current syscall group specific | |
| IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| # Process rules found case-by-case | |
| for rule in "${existing_rules[@]}" | |
| do | |
| # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) | |
| if [ "${rule}" != "${full_rule}" ] | |
| then | |
| # If so, isolate just '(-S \w)+' substring of that rule | |
| rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') | |
| # Check if list of '-S syscall' arguments of that rule is subset | |
| # of '-S syscall' list of expected $full_rule | |
| if grep -q -- "$rule_syscalls" <<< "$full_rule" | |
| then | |
| # Rule is covered (i.e. the list of -S syscalls for this rule is | |
| # subset of -S syscalls of $full_rule => existing rule can be deleted | |
| # Thus delete the rule from audit.rules & our array | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| existing_rules=("${existing_rules[@]//$rule/}") | |
| else | |
| # Rule isn't covered by $full_rule - it besides -S syscall arguments | |
| # for this group contains also -S syscall arguments for other syscall | |
| # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' | |
| # since 'lchown' & 'fchownat' share 'chown' substring | |
| # Therefore: | |
| # * 1) delete the original rule from audit.rules | |
| # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) | |
| # * 2) delete the -S syscall arguments for this syscall group, but | |
| # keep those not belonging to this syscall group | |
| # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' | |
| # * 3) append the modified (filtered) rule again into audit.rules | |
| # if the same rule not already present | |
| # | |
| # 1) Delete the original rule | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # 2) Delete syscalls for this group, but keep those from other groups | |
| # Convert current rule syscall's string into array splitting by '-S' delimiter | |
| IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" | |
| # Reset IFS back to default | |
| unset IFS | |
| # Declare new empty string to hold '-S syscall' arguments from other groups | |
| new_syscalls_for_rule='' | |
| # Walk through existing '-S syscall' arguments | |
| for syscall_arg in "${rule_syscalls_as_array[@]}" | |
| do | |
| # Skip empty $syscall_arg values | |
| if [ "$syscall_arg" == '' ] | |
| then | |
| continue | |
| fi | |
| # If the '-S syscall' doesn't belong to current group add it to the new list | |
| # (together with adding '-S' delimiter back for each of such item found) | |
| if grep -q -v -- "$group" <<< "$syscall_arg" | |
| then | |
| new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" | |
| fi | |
| done | |
| # Replace original '-S syscall' list with the new one for this rule | |
| updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} | |
| # Squeeze repeated whitespace characters in rule definition (if any) into one | |
| updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') | |
| # 3) Append the modified / filtered rule again into audit.rules | |
| # (but only in case it's not present yet to prevent duplicate definitions) | |
| if ! grep -q -- "$updated_rule" "$audit_file" | |
| then | |
| echo "$updated_rule" >> "$audit_file" | |
| fi | |
| fi | |
| else | |
| # $audit_file already contains the expected rule form for this | |
| # architecture & key => don't insert it second time | |
| append_expected_rule=1 | |
| fi | |
| done | |
| # We deleted all rules that were subset of the expected one for this arch & key. | |
| # Also isolated rules containing system calls not from this system calls group. | |
| # Now append the expected rule if it's not present in $audit_file yet | |
| if [[ ${append_expected_rule} -eq "0" ]] | |
| then | |
| echo "$full_rule" >> "$audit_file" | |
| fi | |
| done | |
| return $retval | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_perform_audit_rules_privileged_commands_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function perform_audit_rules_privileged_commands_remediation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to perform remediation for 'audit_rules_privileged_commands' rule | |
| # | |
| # Expects two arguments: | |
| # | |
| # audit_tool tool used to load audit rules | |
| # One of 'auditctl' or 'augenrules' | |
| # | |
| # min_auid Minimum original ID the user logged in with | |
| # '500' for RHEL-6 and before, '1000' for RHEL-7 and after. | |
| # | |
| # Example Call(s): | |
| # | |
| # perform_audit_rules_privileged_commands_remediation "auditctl" "500" | |
| # perform_audit_rules_privileged_commands_remediation "augenrules" "1000" | |
| # | |
| function perform_audit_rules_privileged_commands_remediation { | |
| # | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local min_auid="$2" | |
| # Check sanity of the input | |
| if [ $# -ne "2" ] | |
| then | |
| echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| declare -a files_to_inspect=() | |
| # Check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| exit 1 | |
| # If the audit tool is 'auditctl', then: | |
| # * add '/etc/audit/audit.rules'to the list of files to be inspected, | |
| # * specify '/etc/audit/audit.rules' as the output audit file, where | |
| # missing rules should be inserted | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("/etc/audit/audit.rules") | |
| output_audit_file="/etc/audit/audit.rules" | |
| # | |
| # If the audit tool is 'augenrules', then: | |
| # * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected | |
| # (split by newline), | |
| # * specify /etc/audit/rules.d/privileged.rules' as the output file, where | |
| # missing rules should be inserted | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)) | |
| output_audit_file="/etc/audit/rules.d/privileged.rules" | |
| fi | |
| # Obtain the list of SUID/SGID binaries on the particular system (split by newline) | |
| # into privileged_binaries array | |
| IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) | |
| # Keep list of SUID/SGID binaries that have been already handled within some previous iteration | |
| declare -a sbinaries_to_skip=() | |
| # For each found sbinary in privileged_binaries list | |
| for sbinary in "${privileged_binaries[@]}" | |
| do | |
| # Check if this sbinary wasn't already handled in some of the previous iterations | |
| # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) | |
| if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] | |
| then | |
| # If so, don't process it second time & go to process next sbinary | |
| continue | |
| fi | |
| # Reset the counter of inspected files when starting to check | |
| # presence of existing audit rule for new sbinary | |
| local count_of_inspected_files=0 | |
| # Define expected rule form for this binary | |
| expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" | |
| # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary | |
| if [[ ${#files_to_inspect[@]} -eq 0 ]]; then | |
| echo "$expected_rule" >> "$output_audit_file" | |
| continue | |
| fi | |
| # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below | |
| sbinary_esc=${sbinary//$'/'/$'\/'} | |
| # For each audit rules file from the list of files to be inspected | |
| for afile in "${files_to_inspect[@]}" | |
| do | |
| # Search current audit rules file's content for match. Match criteria: | |
| # * existing rule is for the same SUID/SGID binary we are currently processing (but | |
| # can contain multiple -F path= elements covering multiple SUID/SGID binaries) | |
| # * existing rule contains all arguments from expected rule form (though can contain | |
| # them in arbitrary order) | |
| base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ | |
| -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ | |
| -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \ | |
| -e '/-k privileged/!d' "$afile") | |
| # Increase the count of inspected files for this sbinary | |
| count_of_inspected_files=$((count_of_inspected_files + 1)) | |
| # Require execute access type to be set for existing audit rule | |
| exec_access='x' | |
| # Search current audit rules file's content for presence of rule pattern for this sbinary | |
| if [[ $base_search ]] | |
| then | |
| # Current audit rules file already contains rule for this binary => | |
| # Store the exact form of found rule for this binary for further processing | |
| concrete_rule=$base_search | |
| # Select all other SUID/SGID binaries possibly also present in the found rule | |
| IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")) | |
| IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) | |
| # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates | |
| sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)) | |
| # Separate concrete_rule into three sections using hash '#' | |
| # sign as a delimiter around rule's permission section borders | |
| concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")" | |
| # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter | |
| IFS=$'#' read -r rule_head rule_perm rule_tail <<< "$concrete_rule" | |
| # Extract already present exact access type [r|w|x|a] from rule's permission section | |
| access_type=${rule_perm//-F perm=/} | |
| # Verify current permission access type(s) for rule contain 'x' (execute) permission | |
| if ! grep -q "$exec_access" <<< "$access_type" | |
| then | |
| # If not, append the 'x' (execute) permission to the existing access type bits | |
| access_type="$access_type$exec_access" | |
| # Reconstruct the permissions section for the rule | |
| new_rule_perm="-F perm=$access_type" | |
| # Update existing rule in current audit rules file with the new permission section | |
| sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile" | |
| fi | |
| # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: | |
| # | |
| # * in the "auditctl" mode of operation insert particular rule each time | |
| # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), | |
| # | |
| # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already | |
| # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined | |
| # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) | |
| # | |
| elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] | |
| then | |
| # Current audit rules file's content doesn't contain expected rule for this | |
| # SUID/SGID binary yet => append it | |
| echo "$expected_rule" >> "$output_audit_file" | |
| continue | |
| fi | |
| done | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_package_remove" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function package_remove</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to remove packages on RHEL, Fedora, Debian, and possibly other systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # package_remove telnet-server | |
| # | |
| function package_remove { | |
| # Load function arguments into local variables | |
| local package="$1" | |
| # Check sanity of the input | |
| if [ $# -ne "1" ] | |
| then | |
| echo "Usage: package_remove 'package_name'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| if which dnf ; then | |
| if rpm -q --quiet "$package"; then | |
| dnf remove -y "$package" | |
| fi | |
| elif which yum ; then | |
| if rpm -q --quiet "$package"; then | |
| yum remove -y "$package" | |
| fi | |
| elif which apt-get ; then | |
| apt-get remove -y "$package" | |
| else | |
| echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_disable_prelink" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function disable_prelink</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function disable_prelink { | |
| # Disable prelinking and don't even check | |
| # whether it is installed. | |
| if grep -q ^PRELINKING /etc/sysconfig/prelink | |
| then | |
| sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink | |
| else | |
| printf '\n' >> /etc/sysconfig/prelink | |
| printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink | |
| fi | |
| # Undo previous prelink changes to binaries if prelink is available. | |
| if test -x /usr/sbin/prelink; then | |
| /usr/sbin/prelink -ua | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_include_mount_options_functions" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function include_mount_options_functions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function include_mount_options_functions { | |
| : | |
| } | |
| # $1: mount point | |
| # $2: new mount point option | |
| function ensure_mount_option_in_fstab { | |
| local _mount_point="$1" _new_opt="$2" _mount_point_match_regexp="" _previous_mount_opts="" | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" | |
| if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then | |
| _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') | |
| sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab | |
| fi | |
| } | |
| # $1: mount point | |
| function get_mount_point_regexp { | |
| printf "[[:space:]]%s[[:space:]]" "$1" | |
| } | |
| # $1: mount point | |
| function assert_mount_point_in_fstab { | |
| local _mount_point_match_regexp | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$1")" | |
| grep "$_mount_point_match_regexp" -q /etc/fstab \ | |
| || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } | |
| } | |
| # $1: mount point | |
| function remove_defaults_from_fstab_if_overriden { | |
| local _mount_point_match_regexp | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$1")" | |
| if $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,") | |
| then | |
| sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab | |
| fi | |
| } | |
| # $1: mount point | |
| function ensure_partition_is_mounted { | |
| local _mount_point="$1" | |
| mkdir -p "$_mount_point" || return 1 | |
| if mountpoint -q "$_mount_point"; then | |
| mount -o remount --target "$_mount_point" | |
| else | |
| mount --target "$_mount_point" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_set_faillock_option_to_value_in_pam_file" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function set_faillock_option_to_value_in_pam_file</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function set_faillock_option_to_value_in_pam_file { | |
| # If invoked with no arguments, exit. This is an intentional behavior. | |
| [ $# -gt 1 ] || return 0 | |
| [ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments" | |
| [ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments" | |
| local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4" | |
| # pam_faillock.so already present? | |
| if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then | |
| # pam_faillock.so present, is the option present? | |
| if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then | |
| # both pam_faillock.so & option present, just correct option to the right value | |
| sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" | |
| sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" | |
| # pam_faillock.so present, but the option not yet | |
| else | |
| # append correct option value to appropriate places | |
| sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile" | |
| sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile" | |
| fi | |
| # pam_faillock.so not present yet | |
| else | |
| test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile" | |
| # insert pam_faillock.so preauth & authfail rows with proper value of the option in question | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_firefox_js_setting" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function firefox_js_setting</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting(s) in the Firefox preferences JavaScript file or add the | |
| # preference if it does not exist. | |
| # | |
| # Expects three arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # | |
| # | |
| # Example Call(s): | |
| # | |
| # Without string or variable: | |
| # firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0" | |
| # | |
| # With string: | |
| # firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\"" | |
| # | |
| # With a string variable: | |
| # firefox_js_setting "stig_settings.js" "general.config.filename" "\"$var_config_file_name\"" | |
| # | |
| function firefox_js_setting { | |
| local firefox_js=$1 | |
| local key=$2 | |
| local value=$3 | |
| local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" | |
| local firefox_pref="/defaults/pref" | |
| local firefox_preferences="/defaults/preferences" | |
| # Check sanity of input | |
| if [ $# -lt "3" ] | |
| then | |
| echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'" | |
| echo | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check the possible Firefox install directories | |
| for firefox_dir in ${firefox_dirs}; do | |
| # If the Firefox directory exists, then Firefox is installed | |
| if [ -d "${firefox_dir}" ]; then | |
| # Different versions of Firefox have different preferences directories, check for them and set the right one | |
| if [ -d "${firefox_dir}/${firefox_pref}" ] ; then | |
| local firefox_pref_dir="${firefox_dir}/${firefox_pref}" | |
| elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then | |
| local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | |
| else | |
| mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}" | |
| local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | |
| fi | |
| # Make sure the Firefox .js file exists and has the appropriate permissions | |
| if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then | |
| touch "${firefox_pref_dir}/${firefox_js}" | |
| chmod 644 "${firefox_pref_dir}/${firefox_js}" | |
| fi | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then | |
| sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}" | |
| else | |
| echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}" | |
| fi | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_include_dconf_settings" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function include_dconf_settings</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function include_dconf_settings { | |
| : | |
| } | |
| # Function to configure DConf settings for RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'local.d' '10-banner' | |
| # | |
| function dconf_settings { | |
| local _path=$1 _key=$2 _value=$3 _db=$4 _settingFile=$5 | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: dconf_settings 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_settingsfile'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check for setting in any of the DConf db directories | |
| SETTINGSFILES=($(grep -r "\[${_path}]" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1)) | |
| DCONFFILE="/etc/dconf/db/${_db}/${_settingFile}" | |
| DBDIR="/etc/dconf/db/${_db}" | |
| mkdir -p "${DBDIR}" | |
| if [[ -z "${SETTINGSFILES[@]}" ]] | |
| then | |
| [ ! -z ${DCONFFILE} ] || $(echo "" >> ${DCONFFILE}) | |
| echo "[${_path}]" >> ${DCONFFILE} | |
| echo "${_key}=${_value}" >> ${DCONFFILE} | |
| else | |
| if grep -q "${_key}" ${SETTINGSFILES[@]} | |
| then | |
| sed -i "s/${_key}\s*=\s*.*/${_key}=${_value}/g" ${SETTINGSFILES[@]} | |
| else | |
| sed -i "\|\[${_path}]|a\\${_key}=${_value}" ${SETTINGSFILES[@]} | |
| fi | |
| fi | |
| } | |
| # Function to configure DConf locks for RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'local.d' 'banner' | |
| # | |
| function dconf_lock { | |
| local _key=$1 _setting=$2 _db=$3 _lockFile=$4 | |
| # Check sanity of the input | |
| if [ $# -ne "4" ] | |
| then | |
| echo "Usage: dconf_lock 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_lockfile'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check for setting in any of the DConf db directories | |
| LOCKFILES=$(grep -r "^/${_key}/${_setting}$" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1) | |
| LOCKSFOLDER="/etc/dconf/db/${_db}/locks" | |
| mkdir -p "${LOCKSFOLDER}" | |
| if [[ -z "${LOCKFILES}" ]] | |
| then | |
| echo "/${_key}/${_setting}" >> "/etc/dconf/db/${_db}/locks/${_lockFile}" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_rhel6_perform_audit_adjtimex_settimeofday_stime_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function rhel6_perform_audit_adjtimex_settimeofday_stime_remediation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix syscall audit rule for given system call. It is | |
| # based on example audit syscall rule definitions as outlined in | |
| # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit | |
| # package. It will combine multiple system calls belonging to the same | |
| # syscall group into one audit rule (rather than to create audit rule per | |
| # different system call) to avoid audit infrastructure performance penalty | |
| # in the case of 'one-audit-rule-definition-per-one-system-call'. See: | |
| # | |
| # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | |
| # | |
| # for further details. | |
| # | |
| # Expects five arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules | |
| # * audit rules' pattern audit rule skeleton for same syscall | |
| # * syscall group greatest common string this rule shares | |
| # with other rules from the same group | |
| # * architecture architecture this rule is intended for | |
| # * full form of new rule to add expected full form of audit rule as to be | |
| # added into audit.rules file | |
| # | |
| # Note: The 2-th up to 4-th arguments are used to determine how many existing | |
| # audit rules will be inspected for resemblance with the new audit rule | |
| # (5-th argument) the function is going to add. The rule's similarity check | |
| # is performed to optimize audit.rules definition (merge syscalls of the same | |
| # group into one rule) to avoid the "single-syscall-per-audit-rule" performance | |
| # penalty. | |
| # | |
| # Example call: | |
| # | |
| # See e.g. 'audit_rules_file_deletion_events.sh' remediation script | |
| # | |
| function fix_audit_syscall_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local pattern="$2" | |
| local group="$3" | |
| local arch="$4" | |
| local full_rule="$5" | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # | |
| declare -a files_to_inspect | |
| retval=0 | |
| # First check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| return 1 | |
| # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # file to the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) | |
| # If audit tool is 'augenrules', then check if the audit rule is defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection | |
| # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Extract audit $key from audit rule so we can use it later | |
| key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') | |
| # Check if particular audit rule is already defined | |
| IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| for match in "${matches[@]}" | |
| do | |
| files_to_inspect=("${files_to_inspect[@]}" "${match}") | |
| done | |
| # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # | |
| # Indicator that we want to append $full_rule into $audit_file by default | |
| local append_expected_rule=0 | |
| for audit_file in "${files_to_inspect[@]}" | |
| do | |
| # Filter existing $audit_file rules' definitions to select those that: | |
| # * follow the rule pattern, and | |
| # * meet the hardware architecture requirement, and | |
| # * are current syscall group specific | |
| IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| # Process rules found case-by-case | |
| for rule in "${existing_rules[@]}" | |
| do | |
| # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) | |
| if [ "${rule}" != "${full_rule}" ] | |
| then | |
| # If so, isolate just '(-S \w)+' substring of that rule | |
| rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') | |
| # Check if list of '-S syscall' arguments of that rule is subset | |
| # of '-S syscall' list of expected $full_rule | |
| if grep -q -- "$rule_syscalls" <<< "$full_rule" | |
| then | |
| # Rule is covered (i.e. the list of -S syscalls for this rule is | |
| # subset of -S syscalls of $full_rule => existing rule can be deleted | |
| # Thus delete the rule from audit.rules & our array | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| existing_rules=("${existing_rules[@]//$rule/}") | |
| else | |
| # Rule isn't covered by $full_rule - it besides -S syscall arguments | |
| # for this group contains also -S syscall arguments for other syscall | |
| # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' | |
| # since 'lchown' & 'fchownat' share 'chown' substring | |
| # Therefore: | |
| # * 1) delete the original rule from audit.rules | |
| # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) | |
| # * 2) delete the -S syscall arguments for this syscall group, but | |
| # keep those not belonging to this syscall group | |
| # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' | |
| # * 3) append the modified (filtered) rule again into audit.rules | |
| # if the same rule not already present | |
| # | |
| # 1) Delete the original rule | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # 2) Delete syscalls for this group, but keep those from other groups | |
| # Convert current rule syscall's string into array splitting by '-S' delimiter | |
| IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" | |
| # Reset IFS back to default | |
| unset IFS | |
| # Declare new empty string to hold '-S syscall' arguments from other groups | |
| new_syscalls_for_rule='' | |
| # Walk through existing '-S syscall' arguments | |
| for syscall_arg in "${rule_syscalls_as_array[@]}" | |
| do | |
| # Skip empty $syscall_arg values | |
| if [ "$syscall_arg" == '' ] | |
| then | |
| continue | |
| fi | |
| # If the '-S syscall' doesn't belong to current group add it to the new list | |
| # (together with adding '-S' delimiter back for each of such item found) | |
| if grep -q -v -- "$group" <<< "$syscall_arg" | |
| then | |
| new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" | |
| fi | |
| done | |
| # Replace original '-S syscall' list with the new one for this rule | |
| updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} | |
| # Squeeze repeated whitespace characters in rule definition (if any) into one | |
| updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') | |
| # 3) Append the modified / filtered rule again into audit.rules | |
| # (but only in case it's not present yet to prevent duplicate definitions) | |
| if ! grep -q -- "$updated_rule" "$audit_file" | |
| then | |
| echo "$updated_rule" >> "$audit_file" | |
| fi | |
| fi | |
| else | |
| # $audit_file already contains the expected rule form for this | |
| # architecture & key => don't insert it second time | |
| append_expected_rule=1 | |
| fi | |
| done | |
| # We deleted all rules that were subset of the expected one for this arch & key. | |
| # Also isolated rules containing system calls not from this system calls group. | |
| # Now append the expected rule if it's not present in $audit_file yet | |
| if [[ ${append_expected_rule} -eq "0" ]] | |
| then | |
| echo "$full_rule" >> "$audit_file" | |
| fi | |
| done | |
| return $retval | |
| } | |
| # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit | |
| # system calls on Red Hat Enterprise Linux 6 OS | |
| function rhel6_perform_audit_adjtimex_settimeofday_stime_remediation { | |
| # Retrieve hardware architecture of the underlying system | |
| [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") | |
| for ARCH in "${RULE_ARCHS[@]}" | |
| do | |
| PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" | |
| # Create expected audit group and audit rule form for particular system call & architecture | |
| if [ ${ARCH} = "b32" ] | |
| then | |
| # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) | |
| # so append it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\|stime\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" | |
| elif [ ${ARCH} = "b64" ] | |
| then | |
| # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) | |
| # therefore don't add it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" | |
| fi | |
| # Perform the remediation itself | |
| fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" | |
| done | |
| } | |
| </value> | |
| </Value> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Introduction</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The purpose of this guidance is to provide security configuration | |
| recommendations and baselines for the Fedora operating | |
| system. Recommended settings for the basic operating system are provided, | |
| as well as for many network services that the system can provide to other systems. | |
| The guide is intended for system administrators. Readers are assumed to | |
| possess basic system administration skills for Unix-like systems, as well | |
| as some familiarity with the product's documentation and administration | |
| conventions. Some instructions within this guide are complex. | |
| All directions should be followed completely and with understanding of | |
| their effects in order to avoid serious adverse effects on the system | |
| and its security.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_general-principles"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">General Principles</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following general principles motivate much of the advice in this | |
| guide and should also influence any configuration decisions that are | |
| not explicitly covered.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-least-privilege"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Least Privilege</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Grant the least privilege necessary for user accounts and software to perform tasks. | |
| For example, <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> can be implemented to limit authorization to super user | |
| accounts on the system only to designated personnel. Another example is to limit | |
| logins on server systems to only those administrators who need to log into them in | |
| order to perform administration tasks. Using SELinux also follows the principle of | |
| least privilege: SELinux policy can confine software to perform only actions on the | |
| system that are specifically allowed. This can be far more restrictive than the | |
| actions permissible by the traditional Unix permissions model.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-minimize-software"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Software to Minimize Vulnerability</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The simplest way to avoid vulnerabilities in software is to avoid | |
| installing that software. On Fedora,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) | |
| allows for careful management of | |
| the set of software packages installed on a system. Installed software | |
| contributes to system vulnerability in several ways. Packages that | |
| include setuid programs may provide local attackers a potential path to | |
| privilege escalation. Packages that include network services may give | |
| this opportunity to network-based attackers. Packages that include | |
| programs which are predictably executed by local users (e.g. after | |
| graphical login) may provide opportunities for trojan horses or other | |
| attack code to be run undetected. The number of software packages | |
| installed on a system can almost always be significantly pruned to include | |
| only the software for which there is an environmental or operational need.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Data transmitted over a network, whether wired or wireless, is susceptible | |
| to passive monitoring. Whenever practical solutions for encrypting | |
| such data exist, they should be applied. Even if data is expected to | |
| be transmitted only over a local network, it should still be encrypted. | |
| Encrypting authentication data, such as passwords, is particularly | |
| important. Networks of Fedora machines can and should be configured | |
| so that no unencrypted authentication data is ever transmitted between | |
| machines.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Security Tools to Improve System Robustness</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Several tools exist which can be effectively used to improve a system's | |
| resistance to and detection of unknown attacks. These tools can improve | |
| robustness against attack at the cost of relatively little configuration | |
| effort. In particular, this guide recommends and discusses the use of | |
| host-based firewalling, SELinux for protection against | |
| vulnerable services, and a logging and auditing infrastructure for | |
| detection of problems.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-separate-servers"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run Different Network Services on Separate Systems</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Whenever possible, a server should be dedicated to serving exactly one | |
| network service. This limits the number of other services that can | |
| be compromised in the event that an attacker is able to successfully | |
| exploit a software flaw in one network service.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_how-to-use"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">How to Use This Guide</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Readers should heed the following points when using the guide.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Read Sections Completely and in Order</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Each section may build on information and recommendations discussed in | |
| prior sections. Each section should be read and understood completely; | |
| instructions should never be blindly applied. Relevant discussion may | |
| occur after instructions for an action.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-reboot-required"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Reboot Required</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A system reboot is implicitly required after some actions in order to | |
| complete the reconfiguration of the system. In many cases, the changes | |
| will not take effect until a reboot is performed. In order to ensure | |
| that changes are applied properly and to test functionality, always | |
| reboot the system after applying a set of recommendations from this guide.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-test-non-production"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Test in Non-Production Environment</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guidance should always be tested in a non-production environment | |
| before deployment. This test environment should simulate the setup in | |
| which the system will be deployed as closely as possible.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Formatting Conventions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Commands intended for shell execution, as well as configuration file text, | |
| are featured in a <html:code xmlns:html="http://www.w3.org/1999/xhtml">monospace font</html:code>. <html:i xmlns:html="http://www.w3.org/1999/xhtml">Italics</html:i> are used | |
| to indicate instances where the system administrator must substitute | |
| the appropriate information into a command or configuration file.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Root Shell Environment Assumed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most of the actions listed in this document are written with the | |
| assumption that they will be executed by the root user running the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/bash</html:code> shell. Commands preceded with a hash mark (#) | |
| assume that the administrator will execute the commands as root, i.e. | |
| apply the command via <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> whenever possible, or use | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code> to gain root privileges if <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> cannot be | |
| used. Commands which can be executed as a non-root user are are preceded | |
| by a dollar sign ($) prompt.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_services"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Services</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The best protection against vulnerable software is running less software. This section describes how to review | |
| the software which Fedora installs on a system and disable software which is not needed. It | |
| then enumerates the software packages installed on a default Fedora system and provides guidance about which | |
| ones can be safely disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Fedora provides a convenient minimal install option that essentially installs the bare necessities for a functional | |
| system. When building Fedora systems, it is highly recommended to select the minimal packages and then build up | |
| the system from there.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_cron_and_at"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Cron and At Daemons</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The cron and at services are used to allow commands to | |
| be executed at a later time. The cron service is required by almost | |
| all systems to perform necessary maintenance tasks, while at may or | |
| may not be required on a given system. Both daemons should be | |
| configured defensively.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_restrict_at_cron_users"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict at and cron to Authorized Users if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.allow</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.allow</html:code> files contain lists of | |
| users who are allowed to use <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron</html:code> and at to delay execution of | |
| processes. If these files exist and if the corresponding files | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.deny</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.deny</html:code> do not exist, then only users | |
| listed in the relevant allow files can run the crontab and <html:code xmlns:html="http://www.w3.org/1999/xhtml">at</html:code> commands | |
| to submit jobs to be run at scheduled intervals. On many systems, only the | |
| system administrator needs the ability to schedule jobs. Note that even if a | |
| given user is not listed in <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron.allow</html:code>, cron jobs can still be run as | |
| that user. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron.allow</html:code> file controls only administrative access | |
| to the crontab command for scheduling and modifying cron jobs. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To restrict <html:code xmlns:html="http://www.w3.org/1999/xhtml">at</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron</html:code> to only authorized users: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Remove the <html:code>cron.deny</html:code> file:<html:pre>$ sudo rm /etc/cron.deny</html:pre></html:li><html:li>Edit <html:code>/etc/cron.allow</html:code>, adding one line for each user allowed to use | |
| the crontab command to create cron jobs.</html:li><html:li>Remove the <html:code>at.deny</html:code> file:<html:pre>$ sudo rm /etc/at.deny</html:pre></html:li><html:li>Edit <html:code>/etc/at.allow</html:code>, adding one line for each user allowed to use | |
| the at command to create at jobs.</html:li></html:ul></description> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_atd_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable At Service (atd)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">at</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">batch</html:code> commands can be used to | |
| schedule tasks that are meant to be executed only once. This allows delayed | |
| execution in a manner similar to cron, except that it is not | |
| recurring. The daemon <html:code xmlns:html="http://www.w3.org/1999/xhtml">atd</html:code> keeps track of tasks scheduled via | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">at</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">batch</html:code>, and executes them at the specified time. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">atd</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable atd.service</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">atd</html:code> service could be used by an unsophisticated insider to carry | |
| out activities outside of a normal login session, which could complicate | |
| accountability. Furthermore, the need to schedule tasks with <html:code xmlns:html="http://www.w3.org/1999/xhtml">at</html:code> or | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">batch</html:code> is not common.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_atd_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable cron Service</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">crond</html:code> service is used to execute commands at | |
| preconfigured times. It is required by almost all systems to perform necessary | |
| maintenance tasks, such as notifying root of system activity. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">crond</html:code> service can be enabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl enable crond.service</html:pre></description> | |
| <reference href="">5.1.1</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Due to its usage for maintenance and security-supporting tasks, | |
| enabling the cron daemon is essential.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="service_crond_enabled" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| SYSTEMCTL_EXEC='/usr/bin/systemctl' | |
| "$SYSTEMCTL_EXEC" start 'crond.service' | |
| "$SYSTEMCTL_EXEC" enable 'crond.service' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="service_crond_enabled" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: Enable service crond | |
| service: | |
| name: "{{item}}" | |
| enabled: "yes" | |
| state: "started" | |
| with_items: | |
| - crond | |
| tags: | |
| - service_crond_enabled | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-7 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-service_crond_enabled:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_crond_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_disable_anacron" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable anacron Service</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">cronie-anacron</html:code> package, which provides <html:code xmlns:html="http://www.w3.org/1999/xhtml">anacron</html:code>\nfunctionality, is installed by default. \n The <html:code xmlns:html="http://www.w3.org/1999/xhtml">cronie-anacron</html:code> package can be removed with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo dnf erase cronie-anacron</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">anacron</html:code> service provides <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron</html:code> functionality for systems | |
| such as laptops and workstations that may be shut down during the normal times | |
| that <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron</html:code> jobs are scheduled to run. On systems which do not require this | |
| additional functionality, <html:code xmlns:html="http://www.w3.org/1999/xhtml">anacron</html:code> could needlessly increase the possible | |
| attack surface for an intruder.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-disable_anacron_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_mail"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail Server Software</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail servers are used to send and receive email over the network. | |
| Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious | |
| targets of network attack. | |
| Ensure that systems are not running MTAs unnecessarily, | |
| and configure needed MTAs as defensively as possible. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Very few systems at any site should be configured to directly receive email over the | |
| network. Users should instead use mail client programs to retrieve email | |
| from a central server that supports protocols such as IMAP or POP3. | |
| However, it is normal for most systems to be independently capable of sending email, | |
| for instance so that cron jobs can report output to an administrator. | |
| Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from | |
| the local system to a central site MTA (or directly delivered to a local account), | |
| but the system still cannot receive mail directly over a network. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">alternatives</html:code> program in Red Hat Enterprise Linux permits selection of other mail server software | |
| (such as Sendmail), but Postfix is the default and is preferred. | |
| Postfix was coded with security in mind and can also be more effectively contained by | |
| SELinux as its modular design has resulted in separate processes performing specific actions. | |
| More information is available on its website, | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org">http://www.postfix.org</html:a>.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_client"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SMTP For Mail Clients</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses settings for Postfix in a submission-only | |
| e-mail configuration.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Postfix Root Mail Alias</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify an email address (string) for a root mail alias.</description> | |
| <value>system.administrator@mail.mil</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure System to Forward All Mail For The Root Account</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set up an alias for root that forwards to a monitored email address: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">$ sudo echo "root: <sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias" use="legacy"/>" >> /etc/aliases | |
| $ sudo newaliases</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A number of system services utilize email messages sent to the root user to | |
| notify system administrators of active or impending issues. These messages must | |
| be forwarded to at least one monitored email address.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_harden_os"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Operating System to Protect Mail Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The guidance in this section is appropriate for any host which is | |
| operating as a site MTA, whether the mail server runs using Sendmail, Postfix, | |
| or some other software.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SSL Certificates for Use with SMTP AUTH</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. | |
| There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, | |
| though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing | |
| an SSL certificate are independent of the MTA in use, and are described here.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Security of Postfix SSL Certificate</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create the PKI directory for mail certificates, if it does not already exist: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo mkdir /etc/pki/tls/mail | |
| $ sudo chown root:root /etc/pki/tls/mail | |
| $ sudo chmod 755 /etc/pki/tls/mail</html:pre> | |
| Using removable media or some other secure transmission format, install the files generated in the previous | |
| step onto the mail server: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem | |
| /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</html:pre> | |
| Verify the ownership and permissions of these files: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem | |
| $ sudo chown root:root /etc/pki/tls/mail/servercert.pem | |
| $ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem | |
| $ sudo chmod 644 /etc/pki/tls/mail/servercert.pem</html:pre> | |
| Verify that the CA's public certificate file has been installed as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pki/tls/CA/cacert.pem</html:code>, and has the | |
| correct permissions: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chown root:root /etc/pki/tls/CA/cacert.pem | |
| $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</html:pre></description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_cfg"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Postfix if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Postfix stores its configuration files in the directory | |
| /etc/postfix by default. The primary configuration file is | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code>.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_relay"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Control Mail Relaying</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Postfix's mail relay controls are implemented with the help of the | |
| smtpd recipient restrictions option, which controls the restrictions placed on | |
| the SMTP dialogue once the sender and recipient envelope addresses are known. | |
| The guidance in the following sections should be applied to all systems. If | |
| there are systems which must be allowed to relay mail, but which cannot be | |
| trusted to relay unconditionally, configure SMTP AUTH with SSL support.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use TLS for SMTP AUTH</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Postfix provides options to use TLS for certificate-based | |
| authentication and encrypted sessions. An encrypted session protects the | |
| information that is transmitted with SMTP mail or with SASL authentication. | |
| To configure Postfix to protect all SMTP AUTH transactions | |
| using TLS, see | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</html:a>.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Require SMTP AUTH Before Relaying from Untrusted Clients</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SMTP authentication allows remote clients to relay mail safely by | |
| requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses | |
| an authentication library called SASL, which is not part of Postfix itself. To | |
| enable the use of SASL authentication, see | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org/SASL_README.html">http://www.postfix.org/SASL_README.html</html:a></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enact SMTP Recipient Restrictions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure Postfix to restrict addresses to which it | |
| will send mail, see: | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</html:a> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The full contents of <html:code xmlns:html="http://www.w3.org/1999/xhtml">smtpd_recipient_restrictions</html:code> will | |
| vary by site, since this is a common place to put spam restrictions and other | |
| site-specific options. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">permit_mynetworks</html:code> option allows all mail to | |
| be relayed from the systems in <html:code xmlns:html="http://www.w3.org/1999/xhtml">mynetworks</html:code>. Then, the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">reject_unauth_destination</html:code> option denies all mail whose destination | |
| address is not local, preventing any other systems from relaying. These two | |
| options should always appear in this order, and should usually follow one | |
| another immediately unless SMTP AUTH is used.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Trusted Networks and Hosts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code>, and configure the contents of | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mynetworks</html:code> variable in one of the following ways: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>If any system in the subnet containing the MTA may be trusted to relay | |
| messages, add or correct the following line: | |
| <html:pre>mynetworks_style = subnet</html:pre> | |
| This is also the default setting, and is in effect if all | |
| <html:code>my_networks_style</html:code> directives are commented.</html:li><html:li>If only the MTA host itself is trusted to relay messages, add or correct | |
| the following line: | |
| <html:pre>mynetworks_style = host</html:pre></html:li><html:li>If the set of systems which can relay is more complicated, manually | |
| specify an entry for each netblock or IP address which is trusted to relay by | |
| setting the <html:code>mynetworks</html:code> variable directly: | |
| <html:pre>mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1</html:pre></html:li></html:ul></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enact SMTP Relay Restrictions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure Postfix to restrict addresses to which it | |
| will send mail, see: | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</html:a> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The full contents of <html:code xmlns:html="http://www.w3.org/1999/xhtml">smtpd_recipient_restrictions</html:code> will | |
| vary by site, since this is a common place to put spam restrictions and other | |
| site-specific options. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">permit_mynetworks</html:code> option allows all mail to | |
| be relayed from the systems in <html:code xmlns:html="http://www.w3.org/1999/xhtml">mynetworks</html:code>. Then, the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">reject_unauth_destination</html:code> option denies all mail whose destination | |
| address is not local, preventing any other systems from relaying. These two | |
| options should always appear in this order, and should usually follow one | |
| another immediately unless SMTP AUTH is used.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_postfix_server_dos"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Postfix Resource Usage to Limit Denial of Service Attacks</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code>. Edit the following lines to | |
| configure the amount of system resources Postfix can consume: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">default_process_limit = 100 | |
| smtpd_client_connection_count_limit = 10 | |
| smtpd_client_connection_rate_limit = 30 | |
| queue_minfree = 20971520 | |
| header_size_limit = 51200 | |
| message_size_limit = 10485760 | |
| smtpd_recipient_limit = 100</html:pre> | |
| The values here are examples.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note: The values given here are examples, and may | |
| need to be modified for any particular site. By default, the Postfix anvil | |
| process gathers mail receipt statistics. To get information about about what | |
| connection rates are typical at your site, look in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/maillog</html:code> | |
| for lines with the daemon name postfix/anvil.</warning> | |
| </Group> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_routing"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Routing</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A router is a very desirable target for a | |
| potential adversary because they fulfill a variety of | |
| infrastructure networking roles such as access to network segments, | |
| gateways to other networks, filtering, etc. Therefore, if one is | |
| required, the system acting as a router should be dedicated | |
| to that purpose alone and be stored in a physically secure | |
| location. The system's default routing software is Quagga, and | |
| provided in an RPM package of the same name.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_quagga"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Quagga if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Quagga was installed and activated, but the system | |
| does not need to act as a router, then it should be disabled | |
| and removed.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ldap"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP is a popular directory service, that is, a | |
| standardized way of looking up information from a central database. | |
| Fedora includes software that enables a system to act as both | |
| an LDAP client and server.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_openldap_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenLDAP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section details some security-relevant settings | |
| for an OpenLDAP server.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install and Protect LDAP Certificate Files</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create the PKI directory for LDAP certificates if it does not already exist: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo mkdir /etc/pki/tls/ldap | |
| $ sudo chown root:root /etc/pki/tls/ldap | |
| $ sudo chmod 755 /etc/pki/tls/ldap</html:pre> | |
| Using removable media or some other secure transmission format, install the certificate files | |
| onto the LDAP server: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:code>/etc/pki/tls/ldap/serverkey.pem</html:code>: the private key <html:code>ldapserverkey.pem</html:code></html:li><html:li><html:code>/etc/pki/tls/ldap/servercert.pem</html:code>: the certificate file <html:code>ldapservercert.pem</html:code></html:li></html:ul> | |
| Verify the ownership and permissions of these files: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem | |
| $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem | |
| $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem | |
| $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem</html:pre> | |
| Verify that the CA's public certificate file has been installed as | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pki/tls/CA/cacert.pem</html:code>, and has the correct permissions: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo mkdir /etc/pki/tls/CA | |
| $ sudo chown root:root /etc/pki/tls/CA/cacert.pem | |
| $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</html:pre> | |
| As a result of these steps, the LDAP server will have access to its own private | |
| certificate and the key with which that certificate is encrypted, and to the | |
| public certificate file belonging to the CA. Note that it would be possible for | |
| the key to be protected further, so that processes running as ldap could not | |
| read it. If this were done, the LDAP server process would need to be restarted | |
| manually whenever the server rebooted.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_openldap_client"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenLDAP Clients</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section provides information on which security settings are | |
| important to configure in OpenLDAP clients by manually editing the appropriate | |
| configuration files. Fedora provides an automated configuration tool called | |
| authconfig and a graphical wrapper for authconfig called | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-authentication</html:code>. However, these tools do not provide as | |
| much control over configuration as manual editing of configuration files. The | |
| authconfig tools do not allow you to specify locations of SSL certificate | |
| files, which is useful when trying to use SSL cleanly across several protocols.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Before configuring any system to be an | |
| LDAP client, ensure that a working LDAP server is present on the | |
| network.</warning> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_obsolete"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Obsolete Services</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses a number of network-visible | |
| services which have historically caused problems for system | |
| security, and for which disabling or severely limiting the service | |
| has been the best available guidance for some time. As a result of | |
| this, many of these services are not installed as part of Fedora | |
| by default. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Organizations which are running these services should | |
| switch to more secure equivalents as soon as possible. | |
| If it remains absolutely necessary to run one of | |
| these services for legacy reasons, care should be taken to restrict | |
| the service as much as possible, for instance by configuring host | |
| firewall software such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> to restrict access to the | |
| vulnerable service to only those remote hosts which have a known | |
| need to use it.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_telnet"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Telnet</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The telnet protocol does not provide confidentiality or integrity | |
| for information transmitted on the network. This includes authentication | |
| information such as passwords. Organizations which use telnet should be | |
| actively working to migrate to a more secure protocol.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_r_services"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Rlogin, Rsh, and Rexec</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Berkeley r-commands are legacy services which | |
| allow cleartext remote access and have an insecure trust | |
| model.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_talk"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Chat/Messaging Services</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The talk software makes it possible for users to send and receive messages | |
| across systems through a terminal session.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_tftp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TFTP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TFTP is a lightweight version of the FTP protocol which has | |
| traditionally been used to configure networking equipment. However, | |
| TFTP provides little security, and modern versions of networking | |
| operating systems frequently support configuration via SSH or other | |
| more secure protocols. A TFTP server should be run only if no more | |
| secure method of supporting existing equipment can be | |
| found.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_nis"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">NIS</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network Information Service (NIS), also known as 'Yellow | |
| Pages' (YP), and its successor NIS+ have been made obsolete by | |
| Kerberos, LDAP, and other modern centralized authentication | |
| services. NIS should not be used because it suffers from security | |
| problems inherent in its design, such as inadequate protection of | |
| important authentication information.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ssh"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SSH protocol is recommended for remote login and | |
| remote file transfer. SSH provides confidentiality and integrity | |
| for data exchanged between two systems, as well as server | |
| authentication, through the use of public key cryptography. The | |
| implementation included with the system is called OpenSSH, and more | |
| detailed documentation is available from its website, | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.openssh.org">http://www.openssh.org</html:a>. Its server program | |
| is called <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd</html:code> and provided by the RPM package | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">openssh-server</html:code>.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_sshd_required" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH is required to be installed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify if the Policy requires SSH to be installed. Used by SSH Rules | |
| to determine if SSH should be uninstalled or configured.<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| A value of 1 indicates that OpenSSH server package is not required by the policy;<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| A value of 2 indicates that OpenSSH server package is required by the policy.<html:br xmlns:html="http://www.w3.org/1999/xhtml"/></description> | |
| <value>0</value> | |
| <value selector="no">1</value> | |
| <value selector="yes">2</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_firewalld_sshd_zone" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH enabled firewalld zone</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify firewalld zone to enable SSH service. This value is used only for remediation purposes.</description> | |
| <value selector="block">block</value> | |
| <value>public</value> | |
| <value selector="dmz">dmz</value> | |
| <value selector="drop">drop</value> | |
| <value selector="external">external</value> | |
| <value selector="home">home</value> | |
| <value selector="internal">internal</value> | |
| <value selector="public">public</value> | |
| <value selector="trusted">trusted</value> | |
| <value selector="work">work</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sshd_approved_macs" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH Approved MACs by FIPS</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify the FIPS approved MACs (message authentication code) algorithms | |
| that are used for data integrity protection by the SSH server.</description> | |
| <value>hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sshd_listening_port" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH Server Listening Port</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify port the SSH server is listening.</description> | |
| <value>22</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH Max authentication attempts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify the maximum number of authentication attempts per connection.</description> | |
| <value selector="10">10</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value selector="5">5</value> | |
| <value>4</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH session Idle time</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify duration of allowed idle time.</description> | |
| <value selector="10_minutes">600</value> | |
| <value selector="120_minutes">7200</value> | |
| <value selector="15_minutes">900</value> | |
| <value selector="30_minutes">1800</value> | |
| <value selector="5_minutes">300</value> | |
| <value selector="60_minutes">3600</value> | |
| <value>300</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_ssh_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenSSH Server if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system needs to act as an SSH server, then | |
| certain changes should be made to the OpenSSH daemon configuration | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>. The following recommendations can be | |
| applied to this file. See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> man page for more | |
| detailed information.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Strengthen Firewall Configuration if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the SSH server is expected to only receive connections from | |
| the local network, then strengthen the default firewall rule for the SSH service | |
| to only accept connections from the appropriate network segment(s). | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Determine an appropriate network block, <html:code xmlns:html="http://www.w3.org/1999/xhtml">netwk</html:code>, network mask, <html:code xmlns:html="http://www.w3.org/1999/xhtml">mask</html:code>, and | |
| network protocol, <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip_protocol</html:code>, representing the systems on your network which will | |
| be allowed to access this SSH server. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'</html:pre></description> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Support for .rhosts Files</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH can emulate the behavior of the obsolete rsh | |
| command in allowing users to enable insecure access to their | |
| accounts via <html:code xmlns:html="http://www.w3.org/1999/xhtml">.rhosts</html:code> files. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To ensure this behavior is disabled, add or correct the | |
| following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IgnoreRhosts yes</html:pre></description> | |
| <reference href="">5.2.6</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH trust relationships mean a compromise on one host | |
| can allow an attacker to move trivially to other hosts.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_rhosts" system="urn:xccdf:fix:script:sh"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^IgnoreRhosts' 'yes' '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_rhosts" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Disable SSH Support for .rhosts Files | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^IgnoreRhosts | |
| line: IgnoreRhosts yes | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_disable_rhosts | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-3 | |
| - NIST-800-53-CM-6(a) | |
| - NIST-800-171-3.1.12 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set SSH Client Alive Count</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the SSH idle timeout occurs precisely when the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ClientAliveInterval</html:code> is set, | |
| edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</html:pre></description> | |
| <reference href="">5.2.12</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This ensures a user login will be terminated as soon as the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ClientAliveInterval</html:code> | |
| is reached.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_set_keepalive" system="urn:xccdf:fix:script:sh"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' '0' '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_set_keepalive" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Set SSH Client Alive Count | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^ClientAliveCountMax | |
| line: ClientAliveCountMax 0 | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_set_keepalive | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-2(5) | |
| - NIST-800-53-SA-8 | |
| - NIST-800-53-AC-12 | |
| - NIST-800-171-3.1.11 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_set_keepalive:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit Users' SSH Access</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SSH configuration allows any user with an account | |
| to access the system. In order to specify the users that are allowed to login | |
| via SSH and deny all other users, add or correct the following line in the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">DenyUsers USER1 USER2</html:pre> | |
| Where <html:code xmlns:html="http://www.w3.org/1999/xhtml">USER1</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">USER2</html:code> are valid user names.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying which accounts are allowed SSH access into the system reduces the | |
| possibility of unauthorized access to the system.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allow Only SSH Protocol 2</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Only SSH protocol version 2 connections should be | |
| permitted. The default setting in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be | |
| verified by ensuring that the following | |
| line appears: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Protocol 2</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">As of <html:code xmlns:html="http://www.w3.org/1999/xhtml">openssh-server</html:code> version <html:code xmlns:html="http://www.w3.org/1999/xhtml">7.4</html:code> and above, the only protocol | |
| supported is version 2, and line <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Protocol 2</html:pre> in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is not necessary.</warning> | |
| <reference href="">5.2.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000197</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000074-GPOS-00042</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH protocol version 1 is an insecure implementation of the SSH protocol and | |
| has many well-known vulnerability exploits. Exploits of the SSH daemon could provide | |
| immediate root access to the system.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_allow_only_protocol2" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict"> | |
| - name: "Allow Only SSH Protocol 2" | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^Protocol [0-9]" | |
| line: "Protocol 2" | |
| validate: sshd -t -f %s | |
| #notify: :reload ssh | |
| tags: | |
| - sshd_allow_only_protocol2 | |
| - high_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-17(8).1(ii) | |
| - NIST-800-53-IA-5(1)(c) | |
| - NIST-800-171-3.1.13 | |
| - NIST-800-171-3.5.4 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_use_strong_macs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Strong MACs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the MACs to strong hash algorithms. | |
| The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> demonstrates use | |
| of those MACs: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase | |
| exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of | |
| attention as a weak spot that can be exploited with expanded computing power. An | |
| attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the | |
| SSH tunnel and capture credentials and information</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-sshd_use_strong_macs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Use of Strict Mode Checking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSHs StrictModes option checks file and ownership permissions in | |
| the user's home directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">.ssh</html:code> folder before accepting login. If world- | |
| writable permissions are found, logon is rejected. To enable StrictModes in SSH, | |
| add or correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">StrictModes yes</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If other users have access to modify user-specific SSH configuration files, they | |
| may be able to log into the system as another user.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_enable_strictmodes" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Enable Use of Strict Mode Checking" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: (?i)^#?strictmodes | |
| line: StrictModes yes | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_enable_strictmodes | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_enable_strictmodes:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" selected="false" severity="low"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set LogLevel to INFO</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The INFO parameter specifices that record login and logout activity will be logged. | |
| To specify the log level in | |
| SSH, add or correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">LogLevel INFO</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH provides several logging levels with varying amounts of verbosity. <html:code xmlns:html="http://www.w3.org/1999/xhtml">DEBUG</html:code> is specifically | |
| not recommended other than strictly for debugging SSH communications since it provides | |
| so much data that it is difficult to identify important security information. <html:code xmlns:html="http://www.w3.org/1999/xhtml">INFO</html:code> level is the | |
| basic level that only records login activity of SSH users. In many situations, such as Incident | |
| Response, it is important to determine when a particular user was active on a system. The | |
| logout record can eliminate those users who disconnected, which helps narrow the field.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-sshd_set_loglevel_info:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Access via Empty Passwords</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To explicitly disallow SSH login from accounts with | |
| empty passwords, add or correct the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Any accounts with empty passwords should be disabled immediately, and PAM configuration | |
| should prevent users from being able to assign themselves empty passwords.</description> | |
| <reference href="">5.2.9</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configuring this setting for the SSH daemon provides additional assurance that | |
| remote login via SSH will require a password, even in the event of | |
| misconfiguration elsewhere.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_empty_passwords" system="urn:xccdf:fix:script:sh"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_empty_passwords" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Disable SSH Access via Empty Passwords | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^PermitEmptyPasswords | |
| line: PermitEmptyPasswords no | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_disable_empty_passwords | |
| - high_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-3 | |
| - NIST-800-53-AC-6 | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_empty_passwords:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Print Last Log</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When enabled, SSH will display the date and time of the last | |
| successful account logon. To enable LastLog in | |
| SSH, add or correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PrintLastLog yes</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Providing users feedback on when account accesses last occurred facilitates user | |
| recognition and reporting of unauthorized account use.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_print_last_log_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Support for User Known Hosts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH can allow system users user host-based authentication to connect | |
| to systems if a cache of the remote systems public keys are available. | |
| This should be disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To ensure this behavior is disabled, add or correct the | |
| following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IgnoreUserKnownHosts yes</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configuring this setting for the SSH daemon provides additional | |
| assurance that remove login via SSH will require a password, even | |
| in the event of misconfiguration elsewhere.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_user_known_hosts" system="urn:xccdf:fix:script:sh"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^IgnoreUserKnownHosts' 'yes' '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_user_known_hosts" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Disable SSH Support for User Known Hosts" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^IgnoreUserKnownHosts | |
| line: IgnoreUserKnownHosts yes | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_disable_user_known_hosts | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(a) | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_user_known_hosts:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Root Login</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The root user should never be allowed to login to a | |
| system directly over a network. | |
| To disable root login via SSH, add or correct the following line | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PermitRootLogin no</html:pre></description> | |
| <reference href="">5.2.8</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Even though the communications channel may be encrypted, an additional layer of | |
| security is gained by extending the policy of not logging directly on as root. | |
| In addition, logging in with a user-specific account provides individual | |
| accountability of actions performed on the system and also helps to minimize | |
| direct attack attempts on root's password.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_root_login" system="urn:xccdf:fix:script:sh"> | |
| SSHD_CONFIG='/etc/ssh/sshd_config' | |
| # Obtain line number of first uncommented case-insensitive occurrence of Match | |
| # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG | |
| FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) | |
| # Obtain line number of first uncommented case-insensitive occurence of | |
| # PermitRootLogin directive (possibly prefixed with whitespace) present in | |
| # $SSHD_CONFIG | |
| FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) | |
| # Case: Match block directive not present in $SSHD_CONFIG | |
| if [ -z "$FIRST_MATCH_BLOCK" ] | |
| then | |
| # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet | |
| if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] | |
| then | |
| # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG | |
| echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG | |
| # Case: PermitRootLogin directive present in $SSHD_CONFIG already | |
| else | |
| # Replace first uncommented case-insensitive occurrence | |
| # of PermitRootLogin directive | |
| sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG | |
| fi | |
| # Case: Match block directive present in $SSHD_CONFIG | |
| else | |
| # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet | |
| if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] | |
| then | |
| # Prepend 'PermitRootLogin no' before first uncommented | |
| # case-insensitive occurrence of Match block directive | |
| sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG | |
| # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed | |
| # before first Match block directive | |
| elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] | |
| then | |
| # Replace first uncommented case-insensitive occurrence | |
| # of PermitRootLogin directive | |
| sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG | |
| # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed | |
| # after first Match block directive | |
| else | |
| # Prepend 'PermitRootLogin no' before first uncommented | |
| # case-insensitive occurrence of Match block directive | |
| sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG | |
| fi | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_root_login" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Disable SSH Root Login" | |
| lineinfile: | |
| create: yes | |
| dest: "/etc/ssh/sshd_config" | |
| regexp: "^PermitRootLogin" | |
| line: "PermitRootLogin no" | |
| insertafter: '(?i)^#?authentication' | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_disable_root_login | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-3 | |
| - NIST-800-53-AC-6(2) | |
| - NIST-800-53-IA-2(1) | |
| - NIST-800-53-IA-2(5) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_root_login:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set SSH Idle Timeout Interval</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH allows administrators to set an idle timeout | |
| interval. | |
| After this interval has passed, the idle user will be | |
| automatically logged out. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To set an idle timeout interval, edit the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> as | |
| follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">ClientAliveInterval <html:b><sub idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/></html:b></html:pre> | |
| The timeout <html:b xmlns:html="http://www.w3.org/1999/xhtml">interval</html:b> is given in seconds. To have a timeout | |
| of 15 minutes, set <html:b xmlns:html="http://www.w3.org/1999/xhtml">interval</html:b> to 900. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If a shorter timeout has already been set for the login | |
| shell, that value will preempt any SSH | |
| setting made here. Keep in mind that some processes may stop SSH | |
| from correctly detecting that the user is idle.</description> | |
| <reference href="">5.2.12</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Terminating an idle ssh session within a short time period reduces the window of | |
| opportunity for unauthorized personnel to take control of a management session | |
| enabled on the console or console port that has been let unattended.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_set_idle_timeout" system="urn:xccdf:fix:script:sh"> | |
| sshd_idle_timeout_value="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/>" | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_set_idle_timeout" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value sshd_idle_timeout_value # promote to variable | |
| set_fact: | |
| sshd_idle_timeout_value: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Set SSH Idle Timeout Interval | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^ClientAliveInterval | |
| line: "ClientAliveInterval {{ sshd_idle_timeout_value }}" | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_set_idle_timeout | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-2(5) | |
| - NIST-800-53-SA-8(i) | |
| - NIST-800-53-AC-12 | |
| - NIST-800-171-3.1.11 | |
| - PCI-DSS-Req-8.1.8 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-export export-name="oval:ssg-sshd_idle_timeout_value:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/> | |
| <check-content-ref name="oval:ssg-sshd_set_idle_timeout:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_compression" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Compression Or Set Compression to delayed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Compression is useful for slow network connections over long | |
| distances but can cause performance issues on local LANs. If use of compression | |
| is required, it should be enabled only after a user has authenticated; otherwise | |
| , it should be disabled. To disable compression or delay compression until after | |
| a user has successfully authenticated, add or correct the following line in the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Compression no</html:pre> or <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Compression delayed</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If compression is allowed in an SSH connection prior to authentication, | |
| vulnerabilities in the compression software could result in compromise of the | |
| system from an unauthenticated connection, potentially wih root privileges.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_compression" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Disable Compression or Set Compression to delayed" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: (?i)^#?compression | |
| line: Compression delayed | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_disable_compression | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_compression:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_compression_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable GSSAPI Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless needed, SSH should not permit extraneous or unnecessary | |
| authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or | |
| correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">GSSAPIAuthentication no</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">GSSAPI authentication is used to provide additional authentication mechanisms to | |
| applications. Allowing GSSAPI authentication through SSH exposes the system's | |
| GSSAPI to remote hosts, increasing the attack surface of the system.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_gssapi_auth" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Disable GSSAPI Authentication" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: (?i)^#?gssapiauthentication | |
| line: GSSAPIAuthentication no | |
| validate: sshd -t -f %s | |
| #notify: sshd -t -f %s | |
| tags: | |
| - sshd_disable_gssapi_auth | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(c) | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_gssapi_auth:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kerberos Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless needed, SSH should not permit extraneous or unnecessary | |
| authentication mechanisms like Kerberos. To disable Kerberos authentication, add | |
| or correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">KerberosAuthentication no</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos | |
| is enabled through SSH, the SSH daemon provides a means of access to the | |
| system's Kerberos implementation. Vulnerabilities in the system's Kerberos | |
| implementations may be subject to exploitation.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_kerb_auth" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Disable Kerberos Authentication" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: (?i)^#?kerberosauthentication | |
| line: KerberosAuthentication no | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_disable_kerb_auth | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(c) | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_kerb_auth:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Strong Ciphers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the ciphers to strong algorithms. | |
| Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. | |
| The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> | |
| demonstrates use of those ciphers: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</html:pre> | |
| The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> contains a list of supported ciphers.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Based on research conducted at various institutions, it was determined that the symmetric | |
| portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses | |
| that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was | |
| encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter | |
| mode algorithms (as described in RFC4344) were designed that are not vulnerable to these | |
| types of attacks and these algorithms are now recommended for standard use.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-sshd_use_strong_ciphers:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_use_strong_ciphers_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Host-Based Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH's cryptographic host-based authentication is | |
| more secure than <html:code xmlns:html="http://www.w3.org/1999/xhtml">.rhosts</html:code> authentication. However, it is | |
| not recommended that hosts unilaterally trust one another, even | |
| within an organization. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To disable host-based authentication, add or correct the | |
| following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">HostbasedAuthentication no</html:pre></description> | |
| <reference href="">5.2.7</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH trust relationships mean a compromise on one host | |
| can allow an attacker to move trivially to other hosts.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="disable_host_auth" system="urn:xccdf:fix:script:sh">grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ | |
| sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config | |
| if ! [ $? -eq 0 ]; then | |
| echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="disable_host_auth" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Disable Host-Based Authentication | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^HostbasedAuthentication | |
| line: HostbasedAuthentication no | |
| tags: | |
| - disable_host_auth | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-3 | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-171-3.1.12 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-disable_host_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Support for Rhosts RSA Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH can allow authentication through the obsolete rsh | |
| command through the use of the authenticating user's SSH keys. This should be disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To ensure this behavior is disabled, add or correct the | |
| following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">RhostsRSAAuthentication no</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">As of <html:code xmlns:html="http://www.w3.org/1999/xhtml">openssh-server</html:code> version <html:code xmlns:html="http://www.w3.org/1999/xhtml">7.4</html:code> and above, | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">RhostsRSAAuthentication</html:code> option has been deprecated, and the line | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">RhostsRSAAuthentication no</html:pre> in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is not | |
| necessary.</warning> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configuring this setting for the SSH daemon provides additional | |
| assurance that remove login via SSH will require a password, even | |
| in the event of misconfiguration elsewhere.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_rhosts_rsa" system="urn:xccdf:fix:script:sh"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_disable_rhosts_rsa" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Disable SSH Support for Rhosts RSA Authentication | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^RhostsRSAAuthentication | |
| line: RhostsRSAAuthentication no | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_disable_rhosts_rsa | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(a) | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_disable_rhosts_rsa:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Encrypted X11 Forwarding</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, remote X11 connections are not encrypted when initiated | |
| by users. SSH has the capability to encrypt remote X11 connections when SSH's | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">X11Forwarding</html:code> option is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To enable X11 Forwarding, add or correct the | |
| following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">X11Forwarding yes</html:pre></description> | |
| <reference href="">5.2.4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-2(1)(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Open X displays allow an attacker to capture keystrokes and to execute commands | |
| remotely.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_enable_x11_forwarding" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Enable Encrypted X11 Forwarding | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^X11Forwarding | |
| line: X11Forwarding yes | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_enable_x11_forwarding | |
| - high_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-2(1)(b) | |
| - NIST-800-171-3.1.13 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_enable_x11_forwarding:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable SSH Warning Banner</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To enable the warning banner and ensure it is consistent | |
| across the system, add or correct the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Banner /etc/issue</html:pre> | |
| Another section contains information on how to create an | |
| appropriate system-wide warning banner.</description> | |
| <reference href="">5.2.16</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001388</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The warning message reinforces policy awareness during the logon process and | |
| facilitates possible legal action against attackers. Alternatively, systems | |
| whose ownership should not be obvious should ensure usage of a banner that does | |
| not provide easy attribution.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_enable_warning_banner" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Enable SSH Warning Banner | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^Banner | |
| line: Banner /etc/issue | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_enable_warning_banner | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c)(1) | |
| - NIST-800-53-AC-8(c)(2) | |
| - NIST-800-53-AC-8(c)(3) | |
| - NIST-800-171-3.1.9 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Use of Privilege Separation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When enabled, SSH will create an unprivileged child process that | |
| has the privilege of the authenticated user. To enable privilege separation in | |
| SSH, add or correct the following line in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">UsePrivilegeSeparation sandbox</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH daemon privilege separation causes the SSH process to drop root privileges | |
| when not needed which would decrease the impact of software vulnerabilities in | |
| the unprivileged section.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_use_priv_separation" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Enable use of Privilege Separation" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: (?i)^#?useprivilegeseparation | |
| line: UsePrivilegeSeparation sandbox | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_use_priv_separation | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-171-3.1.12 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/> | |
| <check-content-ref name="oval:ssg-sshd_use_priv_separation:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only FIPS 140-2 Validated Ciphers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the ciphers to those algorithms which are FIPS-approved. | |
| Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. | |
| The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> demonstrates use of | |
| FIPS 140-2 validated ciphers: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The following ciphers are FIPS 140-2 certified on RHEL 7: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes128-ctr | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes192-ctr | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes256-ctr | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes128-cbc | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes192-cbc | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- aes256-cbc | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- 3des-cbc | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- rijndael-cbc@lysator.liu.se | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for | |
| RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</description> | |
| <reference href="">5.2.10</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10(5)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000033-GPOS-00014</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120-GPOS-00061</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000125-GPOS-00065</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000393-GPOS-00173</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore | |
| cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to | |
| cryptographic modules. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules | |
| utilize authentication that meets industry and government requirements. For government systems, this allows | |
| Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_use_approved_ciphers" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Use Only Approved Ciphers | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^Ciphers | |
| line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_use_approved_ciphers | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-3 | |
| - NIST-800-53-AC-17(2) | |
| - NIST-800-53-AU-10(5) | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-53-IA-5(1)(c) | |
| - NIST-800-53-IA-7 | |
| - NIST-800-171-3.1.13 | |
| - NIST-800-171-3.13.11 | |
| - NIST-800-171-3.13.8 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_use_approved_ciphers_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do Not Allow SSH Environment Options</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure users are not able to override environment | |
| options to the SSH daemon, add or correct the following line | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PermitUserEnvironment no</html:pre></description> | |
| <reference href="">5.2.10</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH environment options potentially allow users to bypass | |
| access restriction in some configurations.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_do_not_permit_user_env" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Do Not Allow SSH Environment Options | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^PermitUserEnvironment | |
| line: PermitUserEnvironment no | |
| validate: sshd -t -f %s | |
| tags: | |
| - sshd_do_not_permit_user_env | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-171-3.1.12 | |
| - CJIS-5.5.6 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only FIPS 140-2 Validated MACs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the MACs to those hash algorithms which are FIPS-approved. | |
| The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> demonstrates use | |
| of FIPS-approved MACs: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">MACs hmac-sha2-512,hmac-sha2-256</html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha1 | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha2-256 | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha2-512 | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha1-etm@openssh.com | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha2-256-etm@openssh.com | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>- hmac-sha2-512-etm@openssh.com | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for | |
| RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</description> | |
| <reference href="">5.2.12</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DoD Information Systems are required to use FIPS-approved cryptographic hash | |
| functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_use_approved_macs" system="urn:xccdf:fix:script:sh"> | |
| sshd_approved_macs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_macs" use="legacy"/>" | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy"/> | |
| replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '' '%s %s' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sshd_use_approved_macs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value sshd_approved_macs # promote to variable | |
| set_fact: | |
| sshd_approved_macs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_macs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Use Only Approved MACs" | |
| lineinfile: | |
| create: yes | |
| dest: /etc/ssh/sshd_config | |
| regexp: ^MACs | |
| line: "MACs {{ sshd_approved_macs }}" | |
| validate: sshd -t -f %s | |
| #notify: restart sshd | |
| tags: | |
| - sshd_use_approved_macs | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-17(2) | |
| - NIST-800-53-IA-7 | |
| - NIST-800-53-SC-13 | |
| - NIST-800-171-3.1.13 | |
| - NIST-800-171-3.13.11 | |
| - NIST-800-171-3.13.8 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set SSH authentication attempt limit</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">MaxAuthTries</html:code> parameter specifies the maximum number of authentication attempts | |
| permitted per connection. Once the number of failures reaches half this value, additional failures are logged. | |
| to set MaxAUthTries edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">MaxAuthTries <html:b>tries</html:b></html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the MaxAuthTries parameter to a low number will minimize the risk of successful | |
| brute force attacks to the SSH server.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-sshd_max_auth_tries_value:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value"/> | |
| <check-content-ref name="oval:ssg-sshd_set_max_auth_tries:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on SSH Server Public *.pub Key Files</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/*.pub</html:code>, run the command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chmod 0644 /etc/ssh/*.pub</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a public host key file is modified by an unauthorized user, the SSH service | |
| may be compromised.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_pub_key" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="configure"> | |
| chmod 0644 /etc/ssh/*.pub | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_pub_key" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="configure">- name: Ensure permission 0644 on /etc/ssh/*.pub | |
| file: | |
| path: "{{ item }}" | |
| mode: 0644 | |
| with_items: | |
| - /etc/ssh/*.pub | |
| tags: | |
| - file_permissions_sshd_pub_key | |
| - medium_severity | |
| - configure_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-171-3.1.13 | |
| - NIST-800-171-3.13.10 | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_pub_key" system="urn:xccdf:fix:script:puppet">include ssh_public_key_perms | |
| class ssh_public_key_perms { | |
| exec { 'sshd_pub_key': | |
| command => "chmod 0644 /etc/ssh/*.pub", | |
| path => '/bin:/usr/bin' | |
| } | |
| } | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-file_permissions_sshd_pub_key:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-file_permissions_sshd_pub_key_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on SSH Server Private *_key Key Files</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/*_key</html:code>, run the command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chmod 0640 /etc/ssh/*_key</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If an unauthorized user obtains the private SSH host key file, the host could be | |
| impersonated.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_private_key" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="configure"> | |
| chmod 0600 /etc/ssh/*_key | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_private_key" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="configure">- name: Ensure permission 0600 on /etc/ssh/*_key | |
| file: | |
| path: "{{ item }}" | |
| mode: 0600 | |
| with_items: | |
| - /etc/ssh/*_key | |
| tags: | |
| - file_permissions_sshd_private_key | |
| - medium_severity | |
| - configure_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-171-3.1.13 | |
| - NIST-800-171-3.13.10 | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="file_permissions_sshd_private_key" system="urn:xccdf:fix:script:puppet">include ssh_private_key_perms | |
| class ssh_private_key_perms { | |
| exec { 'sshd_priv_key': | |
| command => "chmod 0640 /etc/ssh/*_key", | |
| path => '/bin:/usr/bin' | |
| } | |
| } | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-file_permissions_sshd_private_key:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-file_permissions_sshd_private_key_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_iptables_sshd_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove SSH Server iptables Firewall exception (Unusual)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, inbound connections to SSH's port are allowed. If | |
| the SSH server is not being used, this exception should be removed from the | |
| firewall configuration. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Edit the files <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code> | |
| (if IPv6 is in use). In each file, locate and delete the line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</html:pre> | |
| This is unusual, as SSH is a common method for encrypted and authenticated | |
| remote access.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If inbound SSH connections are not expected, disallowing access to the SSH port will | |
| avoid possible exploitation of the port by an attacker.</rationale> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_proxy"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Proxy Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A proxy server is a very desirable target for a | |
| potential adversary because much (or all) sensitive data for a | |
| given infrastructure may flow through it. Therefore, if one is | |
| required, the system acting as a proxy server should be dedicated | |
| to that purpose alone and be stored in a physically secure | |
| location. The system's default proxy server software is Squid, and | |
| provided in an RPM package of the same name.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_squid"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Squid if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Squid was installed and activated, but the system | |
| does not need to act as a proxy server, then it should be disabled | |
| and removed.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_openstack"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">OpenStack</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TODO TODO TODO</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ntp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Time Protocol</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network Time Protocol is used to manage the system | |
| clock over a network. Computer clocks are not very accurate, so | |
| time will drift unpredictably on unmanaged systems. Central time | |
| protocols can be used both to ensure that time is consistent among | |
| a network of systems, and that their time is consistent with the | |
| outside world. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If every system on a network reliably reports the same time, then it is much | |
| easier to correlate log messages in case of an attack. In addition, a number of | |
| cryptographic protocols (such as Kerberos) use timestamps to prevent certain | |
| types of attacks. If your network does not have synchronized time, these | |
| protocols may be unreliable or even unusable. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Depending on the specifics of the network, global time accuracy may be just as | |
| important as local synchronization, or not very important at all. If your | |
| network is connected to the Internet, using a public timeserver (or one | |
| provided by your enterprise) provides globally accurate timestamps which may be | |
| essential in investigating or responding to an attack which originated outside | |
| of your network. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| A typical network setup involves a small number of internal systems operating | |
| as NTP servers, and the remainder obtaining time information from those | |
| internal servers. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| There is a choice between the daemons <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code>, which | |
| are available from the repositories in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntp</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">chrony</html:code> | |
| packages respectively. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The default <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> daemon can work well when external time references | |
| are only intermittently accesible, can perform well even when the network is | |
| congested for longer periods of time, can usually synchronize the clock faster | |
| and with better time accuracy, and quickly adapts to sudden changes in the rate | |
| of the clock, for example, due to changes in the temperature of the crystal | |
| oscillator. <html:code xmlns:html="http://www.w3.org/1999/xhtml">Chronyd</html:code> should be considered for all systems which are | |
| frequently suspended or otherwise intermittently disconnected and reconnected | |
| to a network. Mobile and virtual systems for example. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> NTP daemon fully supports NTP protocol version 4 (RFC 5905), | |
| including broadcast, multicast, manycast clients and servers, and the orphan | |
| mode. It also supports extra authentication schemes based on public-key | |
| cryptography (RFC 5906). The NTP daemon (<html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code>) should be considered | |
| for systems which are normally kept permanently on. Systems which are required | |
| to use broadcast or multicast IP, or to perform authentication of packets with | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">Autokey</html:code> protocol, should consider using <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Refer to | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</html:a> for more detailed comparison of features of <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> | |
| and <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> daemon features respectively, and for further guidance how to | |
| choose between the two NTP daemons. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The upstream manual pages at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</html:a> for | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> and | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.ntp.org">http://www.ntp.org</html:a> for <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> provide additional | |
| information on the capabilities and configuration of each of the NTP daemons.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum NTP or Chrony Poll</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The maximum NTP or Chrony poll interval number in seconds specified as a power of two.</description> | |
| <value selector="36_hours">17</value> | |
| <value>10</value> | |
| <value selector="system_default">10</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_multiple_time_servers" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Vendor Approved Time Servers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The list of vendor-approved time servers</description> | |
| <value selector="fedora">0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org</value> | |
| <value selector="rhel">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify a Remote NTP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify a remote NTP server for time synchronization, edit | |
| the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>. Add or correct the following lines, | |
| substituting the IP or hostname of a remote NTP server for <html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre> | |
| This instructs the NTP software to contact that remote server to obtain time | |
| data.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Synchronizing with an NTP server makes it possible | |
| to collate system logs from multiple sources or correlate computer events with | |
| real time events.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify Additional Remote NTP Servers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Depending on specific functional requirements of a concrete | |
| production environment, the Red Hat Enterprise Linux 7 Server system can be | |
| configured to utilize the services of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> NTP daemon (the | |
| default), or services of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> NTP daemon. Refer to | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</html:a> | |
| for more detailed comparison of the features of both of the choices, and for | |
| further guidance how to choose between the two NTP daemons. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Additional NTP servers can be specified for time synchronization. To do so, | |
| perform the following: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li> if the system is configured to use the <html:code>chronyd</html:code> as the NTP daemon | |
| (the default), edit the file <html:code>/etc/chrony.conf</html:code> as follows,</html:li><html:li> if the system is configured to use the <html:code>ntpd</html:code> as the NTP daemon, | |
| edit the file <html:code>/etc/ntp.conf</html:code> as documented below.</html:li></html:ul> | |
| Add additional lines of the following form, substituting the IP address or | |
| hostname of a remote NTP server for <html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying additional NTP servers increases the availability of | |
| accurate time data, in the event that one of the specified servers becomes | |
| unavailable. This is typical for a system acting as an NTP server for | |
| other systems.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify Additional Remote NTP Servers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Additional NTP servers can be specified for time synchronization | |
| in the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>. To do so, add additional lines of the | |
| following form, substituting the IP address or hostname of a remote NTP server for | |
| <html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying additional NTP servers increases the availability of | |
| accurate time data, in the event that one of the specified servers becomes | |
| unavailable. This is typical for a system acting as an NTP server for | |
| other systems.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify a Remote NTP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Depending on specific functional requirements of a concrete | |
| production environment, the Red Hat Enterprise Linux 7 Server system can be | |
| configured to utilize the services of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> NTP daemon (the | |
| default), or services of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> NTP daemon. Refer to | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</html:a> | |
| for more detailed comparison of the features of both of the choices, and for | |
| further guidance how to choose between the two NTP daemons. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To specify a remote NTP server for time synchronization, perform the following: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li> if the system is configured to use the <html:code>chronyd</html:code> as the NTP daemon (the | |
| default), edit the file <html:code>/etc/chrony.conf</html:code> as follows,</html:li><html:li> if the system is configured to use the <html:code>ntpd</html:code> as the NTP daemon, | |
| edit the file <html:code>/etc/ntp.conf</html:code> as documented below.</html:li></html:ul> | |
| Add or correct the following lines, substituting the IP or hostname of a remote | |
| NTP server for <html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre> | |
| This instructs the NTP software to contact that remote server to obtain time | |
| data.</description> | |
| <reference href="">3.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Synchronizing with an NTP server makes it possible to collate system | |
| logs from multiple sources or correlate computer events with real time events.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-chronyd_or_ntpd_specify_remote_server_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the NTP Daemon</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
| Run the following command to determine the current status of the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> service: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ systemctl is-active chronyd</html:pre> | |
| If the service is running, it should return the following: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">active</html:pre> | |
| Note: The <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> daemon is enabled by default. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Run the following command to determine the current status of the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> service: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ systemctl is-active ntpd</html:pre> | |
| If the service is running, it should return the following: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">active</html:pre> | |
| Note: The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> daemon is not enabled by default. Though as mentioned | |
| in the previous sections in certain environments the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> daemon might | |
| be preferred to be used rather than the <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> one. Refer to: | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</html:a> | |
| for guidance which NTP daemon to choose depending on the environment used.</description> | |
| <reference href="">2.2.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling some of <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> services ensures | |
| that the NTP daemon will be running and that the system will synchronize its | |
| time to any servers specified. This is important whether the system is | |
| configured to be a client (and synchronize only its own clock) or it is also | |
| acting as an NTP server to other systems. Synchronizing time is essential for | |
| authentication services such as Kerberos, but it is also important for | |
| maintaining accurate logs and auditing possible security breaches. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">chronyd</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> NTP daemons offer all of the | |
| functionality of <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpdate</html:code>, which is now deprecated. Additional | |
| information on this is available at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</html:a></rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_chronyd_or_ntpd_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the NTP Daemon</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> service can be enabled with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl enable ntpd.service</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> service ensures that the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> | |
| service will be running and that the system will synchronize its time to | |
| any servers specified. This is important whether the system is configured to be | |
| a client (and synchronize only its own clock) or it is also acting as an NTP | |
| server to other systems. Synchronizing time is essential for authentication | |
| services such as Kerberos, but it is also important for maintaining accurate | |
| logs and auditing possible security breaches. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The NTP daemon offers all of the functionality of <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpdate</html:code>, which is now | |
| deprecated. Additional information on this is available at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</html:a>.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Time Service Maxpoll Interval</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxpoll</html:code> should be configured to | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/> in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code> or | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/chrony.conf</html:code> to continuously poll time servers. To configure | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxpoll</html:code> in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/chrony.conf</html:code> | |
| add the following: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">maxpoll <sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/></html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001891</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002046</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000355-GPOS-00143</reference> | |
| <reference href="">SRG-OS-000356-GPOS-00144</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Inaccurate time stamps make it more difficult to correlate | |
| events and can lead to an inaccurate analysis. Determining the correct | |
| time a particular event occurred on a system is critical when conducting | |
| forensic analysis and investigating system events. Sources outside the | |
| configured acceptable allowance (drift) may be inaccurate.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-chronyd_or_ntpd_set_maxpoll_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_imap"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IMAP and POP3 Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Dovecot provides IMAP and POP3 services. It is not | |
| installed by default. The project page at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.dovecot.org">http://www.dovecot.org</html:a> | |
| contains more detailed information about Dovecot | |
| configuration.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_dovecot"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Dovecot</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system does not need to operate as an IMAP or | |
| POP3 server, the dovecot software should be disabled and removed.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_configure_dovecot"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Dovecot if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system will operate as an IMAP or | |
| POP3 server, the dovecot software should be configured securely by following | |
| the recommendations below.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allow IMAP Clients to Access the Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
| The default iptables configuration does not allow inbound access to any services. | |
| This modification will allow remote hosts to initiate connections to the IMAP daemon, | |
| while keeping all other ports on the server in their default protected state. | |
| To configure <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> to allow port 143 traffic, one must edit | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code> (if IPv6 is in use). | |
| Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable SSL Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSL should be used to encrypt network traffic between the | |
| Dovecot server and its clients. Users must authenticate to the Dovecot | |
| server in order to read their mail, and passwords should never be | |
| transmitted in clear text. In addition, protecting mail as it is | |
| downloaded is a privacy measure, and clients may use SSL certificates | |
| to authenticate the server, preventing another system from impersonating | |
| the server.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Support Only the Necessary Protocols</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Dovecot supports the IMAP and POP3 protocols, as well as | |
| SSL-protected versions of those protocols. Configure the Dovecot server | |
| to support only the protocols needed by your site. Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dovecot/dovecot.conf</html:code>. | |
| Add or correct the following lines, replacing <html:code xmlns:html="http://www.w3.org/1999/xhtml">PROTOCOL</html:code> with | |
| only the subset of protocols (<html:code xmlns:html="http://www.w3.org/1999/xhtml">imap</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">imaps</html:code>, | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">pop3</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">pop3s</html:code>) required: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">protocols = PROTOCOL</html:pre> | |
| If possible, require SSL protection for all transactions. The SSL | |
| protocol variants listen on alternate ports (995 instead of 110 for | |
| pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. | |
| An alternate approach is to listen on the standard port and require the | |
| client to use the STARTTLS command before authenticating.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_snmp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SNMP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Simple Network Management Protocol allows | |
| administrators to monitor the state of network devices, including | |
| computers. Older versions of SNMP were well-known for weak | |
| security, such as plaintext transmission of the community string | |
| (used for authentication) and usage of easily-guessable | |
| choices for the community string.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_snmp_configure_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SNMP Server if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is necessary to run the snmpd agent on the system, some best | |
| practices should be followed to minimize the security risk from the | |
| installation. The multiple security models implemented by SNMP cannot be fully | |
| covered here so only the following general configuration advice can be offered: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>use only SNMP version 3 security models and enable the use of authentication and encryption</html:li><html:li>write access to the MIB (Management Information Base) should be allowed only if necessary</html:li><html:li>all access to the MIB should be restricted following a principle of least privilege</html:li><html:li>network access should be limited to the maximum extent possible including restricting to expected network | |
| addresses both in the configuration files and in the system firewall rules</html:li><html:li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management | |
| stations</html:li><html:li>ensure that permissions on the <html:code>snmpd.conf</html:code> configuration file (by default, in <html:code>/etc/snmp</html:code>) are 640 or more restrictive</html:li><html:li>ensure that any MIB files' permissions are also 640 or more restrictive</html:li></html:ul></description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SNMP Service to Use Only SNMPv3 or Newer</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, removing any references to <html:code xmlns:html="http://www.w3.org/1999/xhtml">rocommunity</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">rwcommunity</html:code>, or <html:code xmlns:html="http://www.w3.org/1999/xhtml">com2sec</html:code>. | |
| Upon doing that, restart the SNMP service: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service snmpd restart</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Earlier versions of SNMP are considered insecure, as they potentially allow | |
| unauthorized access to detailed system management information.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-snmpd_use_newer_protocol:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-snmpd_use_newer_protocol_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Default SNMP Password Is Not Used</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, remove or change the default community strings of | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">public</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">private</html:code>. | |
| Once the default community strings have been changed, restart the SNMP service: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service snmpd restart</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5.1(ii)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Whether active or not, default simple network management protocol (SNMP) community | |
| strings must be changed to maintain security. If the service is running with the | |
| default authenticators, then anyone can gather data about the system and the network | |
| and use the information to potentially compromise the integrity of the system and | |
| network(s).</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-snmpd_not_default_password:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_snmp_service"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SNMP Server if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes an SNMP daemon that allows for its remote | |
| monitoring, though it not installed by default. If it was installed and | |
| activated but is not needed, the software should be disabled and removed.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Uninstall net-snmp Package</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">net-snmp</html:code> package provides the snmpd service. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">net-snmp</html:code> package can be removed with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo dnf erase net-snmp</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If there is no need to run SNMP server software, | |
| removing the package provides a safeguard against its | |
| activation.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_net-snmp_removed" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="disable"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_package_remove" use="legacy"/> | |
| package_remove net-snmp | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_net-snmp_removed" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="disable">- name: Ensure net-snmp is removed | |
| package: | |
| name: "{{item}}" | |
| state: absent | |
| with_items: | |
| - net-snmp | |
| tags: | |
| - package_net-snmp_removed | |
| - unknown_severity | |
| - disable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_net-snmp_removed" system="urn:xccdf:fix:script:puppet" complexity="low" disruption="low" strategy="disable">include remove_net-snmp | |
| class remove_net-snmp { | |
| package { 'net-snmp': | |
| ensure => 'purged', | |
| } | |
| } | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_net-snmp_removed" system="urn:redhat:anaconda:pre" complexity="low" disruption="low" strategy="disable"> | |
| package --remove=net-snmp | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-package_net-snmp_removed:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-package_net-snmp_removed_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_http"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Web Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The web server is responsible for providing access to | |
| content via the HTTP protocol. Web servers represent a significant | |
| security risk because: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>The HTTP port is commonly probed by malicious sources</html:li><html:li>Web server software is very complex, and includes a long | |
| history of vulnerabilities</html:li><html:li>The HTTP protocol is unencrypted and vulnerable to passive | |
| monitoring</html:li></html:ul> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The system's default web server software is Apache 2 and is | |
| provided in the RPM package <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code>.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_installing_httpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install Apache if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> was not installed and activated, but the system | |
| needs to act as a web server, then it should be installed on the system. Follow these | |
| guidelines to install it defensively. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> package can be installed with | |
| the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum install httpd</html:pre> | |
| This method of installation is recommended over installing the "Web Server" | |
| package group during the system installation process. The Web Server package | |
| group includes many packages which are likely extraneous, while the | |
| command-line method installs only the required <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> package itself.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Confirm Minimal Built-in Modules Installed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> installation minimizes the number of | |
| modules that are compiled directly into the binary (<html:code xmlns:html="http://www.w3.org/1999/xhtml">core prefork http_core | |
| mod_so</html:code>). This minimizes risk by limiting the capabilities allowed by the | |
| web server. | |
| Query the set of compiled-in modules using the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ httpd -l</html:pre> | |
| If the number of compiled-in modules is significantly larger than the | |
| aforementioned set, this guide recommends re-installing <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> with a | |
| reduced configuration. Minimizing the number of modules that are compiled into | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> binary, reduces risk by limiting the capabilities allowed by | |
| the webserver.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_httpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Apache if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Apache was installed and activated, but the system | |
| does not need to act as a web server, then it should be disabled | |
| and removed from the system.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_securing_httpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Secure Apache Configuration</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> configuration file is | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/httpd/conf/httpd.conf</html:code>. Apply the recommendations in the remainder | |
| of this section to this file.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_max_keepalive_requests" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum KeepAlive Requests for HTTPD</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for MaxKeepAliveRequests in httpd.conf</description> | |
| <value selector="100">100</value> | |
| <value selector="1000">1000</value> | |
| <value selector="10000">10000</value> | |
| <value selector="100000">100000</value> | |
| <value selector="500">500</value> | |
| <value>100</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_loglevel" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">HTTPD Log Level</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for LogLevel in /etc/httpd/conf/httpd.conf</description> | |
| <value selector="alert">alert</value> | |
| <value selector="crit">crit</value> | |
| <value>warn</value> | |
| <value selector="emerg">emerg</value> | |
| <value selector="error">error</value> | |
| <value selector="warn">warn</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_configure_php_securely"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure PHP Securely</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">PHP is a widely-used and often misconfigured server-side scripting language. It should | |
| be used with caution, but configured appropriately when needed. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Review <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/php.ini</html:code> and make the following changes if possible: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># Do not expose PHP error messages to external users | |
| display_errors = Off | |
| # Enable safe mode | |
| safe_mode = On | |
| # Only allow access to executables in isolated directory | |
| safe_mode_exec_dir = php-required-executables-path | |
| # Limit external access to PHP environment | |
| safe_mode_allowed_env_vars = PHP_ | |
| # Restrict PHP information leakage | |
| expose_php = Off | |
| # Log all errors | |
| log_errors = On | |
| # Do not register globals for input data | |
| register_globals = Off | |
| # Minimize allowable PHP post size | |
| post_max_size = 1K | |
| # Ensure PHP redirects appropriately | |
| cgi.force_redirect = 0 | |
| # Disallow uploading unless necessary | |
| file_uploads = Off | |
| # Disallow treatment of file requests as fopen calls | |
| allow_url_fopen = Off | |
| # Enable SQL safe mode | |
| sql.safe_mode = On | |
| </html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_secure_content"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure HTTPD-Served Web Content Securely</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Running <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> inside a <html:code xmlns:html="http://www.w3.org/1999/xhtml">chroot</html:code> jail is designed to isolate the | |
| web server process to a small section of the filesystem, limiting the damage if | |
| it is compromised. Versions of Apache greater than 2.2.10 (such as the one | |
| included with Red Hat Enterprise Linux 7) provide the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ChrootDir</html:code> directive. To run Apache | |
| inside a chroot jail in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/chroot/apache</html:code>, add the following line to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/httpd/conf/httpd.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ChrootDir /chroot/apache</html:pre> This | |
| necessitates placing all files required by <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> inside | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/chroot/apache</html:code> , including <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code>'s binaries, modules, | |
| configuration files, and served web pages. The details of this configuration | |
| are beyond the scope of this guide. This may also require additional SELinux | |
| configuration.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_web_login_banner_text" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Web Login Banner Verbiage</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must | |
| be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description> | |
| <value selector="dod_banners">^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$</value> | |
| <value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value> | |
| <value selector="dod_short">I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.</value> | |
| <value selector="dss_odaa_default">[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.</value> | |
| <value selector="usgcb_default">--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.</value> | |
| </Value> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Denial-of-Service Protection Modules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Denial-of-service attacks are difficult to detect and prevent while maintaining | |
| acceptable access to authorized users. However, some traffic-shaping | |
| modules can be used to address the problem. Well-known DoS protection modules include: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">mod_cband mod_bwshare mod_limitipconn mod_evasive</html:pre> | |
| Denial-of-service prevention should be implemented for a web server if such a threat exists. | |
| However, specific configuration details are very dependent on the environment and often best left | |
| at the discretion of the administrator.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Appropriate Modules to Improve <tt>httpd</tt>'s Security</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Among the modules available for <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> are several whose use may improve the | |
| security of the web server installation. This section recommends and discusses | |
| the deployment of security-relevant modules.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Deploy <tt>mod_ssl</tt></title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Because HTTP is a plain text protocol, all traffic is susceptible to passive | |
| monitoring. If there is a need for confidentiality, SSL should be configured | |
| and enabled to encrypt content. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Note: <html:code xmlns:html="http://www.w3.org/1999/xhtml">mod_nss</html:code> is a FIPS 140-2 certified alternative to <html:code xmlns:html="http://www.w3.org/1999/xhtml">mod_ssl</html:code>. | |
| The modules share a considerable amount of code and should be nearly identical | |
| in functionality. If FIPS 140-2 validation is required, then <html:code xmlns:html="http://www.w3.org/1999/xhtml">mod_nss</html:code> should | |
| be used. If it provides some feature or its greater compatibility is required, | |
| then <html:code xmlns:html="http://www.w3.org/1999/xhtml">mod_ssl</html:code> should be used.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Deploy <tt>mod_security</tt></title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">security</html:code> module provides an application level firewall for <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code>. | |
| Following its installation with the base ruleset, specific configuration advice can be found at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.modsecurity.org/">http://www.modsecurity.org/</html:a> to design a policy that best matches the security needs of | |
| the web applications. Usage of <html:code xmlns:html="http://www.w3.org/1999/xhtml">mod_security</html:code> is highly recommended for some environments, | |
| but it should be noted this module does not ship with Red Hat Enterprise Linux itself, | |
| and instead is provided via Extra Packages for Enterprise Linux (EPEL). | |
| For more information on EPEL please refer to | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://fedoraproject.org/wiki/EPEL">http://fedoraproject.org/wiki/EPEL</html:a>.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Web Server Loadable Modules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A default installation of <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> includes a plethora of dynamically shared objects (DSO) | |
| that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be | |
| disabled in the configuration file by removing the corresponding LoadModule directive. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Note: A DSO only provides additional functionality if associated directives are included | |
| in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> configuration file. It should also be noted that removing a DSO will produce | |
| errors on <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> startup if the configuration file contains directives that apply to that | |
| module. Refer to <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://httpd.apache.org/docs/">http://httpd.apache.org/docs/</html:a></html:code> for details on which directives | |
| are associated with each DSO. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Following each DSO removal, the configuration can be tested with the following command | |
| to check if everything still works: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service httpd configtest</html:pre> | |
| The purpose of each of the modules loaded by default will now be addressed one at a time. | |
| If none of a module's directives are being used, remove it.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_core_modules"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"><tt>httpd</tt> Core Modules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">These modules comprise a basic subset of modules that are likely needed for base <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> | |
| functionality; ensure they are not commented out in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/httpd/conf/httpd.conf</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">LoadModule auth_basic_module modules/mod_auth_basic.so | |
| LoadModule authn_default_module modules/mod_authn_default.so | |
| LoadModule authz_host_module modules/mod_authz_host.so | |
| LoadModule authz_user_module modules/mod_authz_user.so | |
| LoadModule authz_groupfile_module modules/mod_authz_groupfile.so | |
| LoadModule authz_default_module modules/mod_authz_default.so | |
| LoadModule log_config_module modules/mod_log_config.so | |
| LoadModule logio_module modules/mod_logio.so | |
| LoadModule setenvif_module modules/mod_setenvif.so | |
| LoadModule mime_module modules/mod_mome.so | |
| LoadModule autoindex_module modules/mod_autoindex.so | |
| LoadModule negotiation_module modules/mod_negotiation.so | |
| LoadModule dir_module modules/mod_dir.so | |
| LoadModule alias_module modules/mod_alias.so</html:pre> | |
| Minimizing the number of loadable modules available to the web server reduces risk | |
| by limiting the capabilities allowed by the web server.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Configuration Files Included</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">Include</html:code> directive directs <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> to load supplementary configuration files | |
| from a provided path. The default configuration loads all files that end in <html:code xmlns:html="http://www.w3.org/1999/xhtml">.conf</html:code> | |
| from the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/httpd/conf.d</html:code> directory. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To restrict excess configuration, the following line should be commented out and | |
| replaced with <html:code xmlns:html="http://www.w3.org/1999/xhtml">Include</html:code> directives that only reference required configuration files: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">#Include conf.d/*.conf</html:pre> | |
| If the above change was made, ensure that the SSL encryption remains loaded by | |
| explicitly including the corresponding configuration file: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Include conf.d/ssl.conf</html:pre> | |
| If PHP is necessary, a similar alteration must be made: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Include conf.d/php.conf</html:pre> | |
| Explicitly listing the configuration files to be loaded during web server start-up avoids | |
| the possibility of unwanted or malicious configuration files to be automatically included as | |
| part of the server's running configuration.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_basic_authentication"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Modules for HTTP Basic Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following modules are necessary if this web server will provide content that will | |
| be restricted by a password. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Authentication can be performed using local plain text password files (<html:code xmlns:html="http://www.w3.org/1999/xhtml">authn_file</html:code>), | |
| local DBM password files (<html:code xmlns:html="http://www.w3.org/1999/xhtml">authn_dbm</html:code>) or an LDAP directory. The only module required by | |
| the web server depends on your choice of authentication. Comment out the modules you don't | |
| need from the following: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">LoadModule authn_file_module modules/mod_authn_file.so | |
| LoadModule authn_dbm_module modules/mod_authn_dbm.so</html:pre> | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">authn_alias</html:code> allows for authentication based on aliases. <html:code xmlns:html="http://www.w3.org/1999/xhtml">authn_anon</html:code> | |
| allows anonymous authentication similar to that of anonymous ftp sites. <html:code xmlns:html="http://www.w3.org/1999/xhtml">authz_owner</html:code> | |
| allows authorization based on file ownership. <html:code xmlns:html="http://www.w3.org/1999/xhtml">authz_dbm</html:code> allows for authorization | |
| based on group membership if the web server is using DBM authentication. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the above functionality is unnecessary, comment out the related module: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">#LoadModule authn_alias_module modules/mod_authn_alias.so | |
| #LoadModule authn_anon_module modules/mod_authn_anon.so | |
| #LoadModule authz_owner_module modules/mod_authz_owner.so | |
| #LoadModule authz_dbm_module modules/mod_authz_dbm.so</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_optional_components"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Various Optional Components</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following modules perform very specific tasks, sometimes providing access to | |
| just a few additional directives. If such functionality is not required (or if you | |
| are not using these directives), comment out the associated module: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>External filtering (response passed through external program prior to client delivery) | |
| <html:pre>#LoadModule ext_filter_module modules/mod_ext_filter.so</html:pre></html:li><html:li>User-specified Cache Control and Expiration | |
| <html:pre>#LoadModule expires_module modules/mod_expires.so</html:pre></html:li><html:li>Compression Output Filter (provides content compression prior to client delivery) | |
| <html:pre>#LoadModule deflate_module modules/mod_deflate.so</html:pre></html:li><html:li>HTTP Response/Request Header Customization | |
| <html:pre>#LoadModule headers_module modules/mod_headers.so</html:pre></html:li><html:li>User activity monitoring via cookies | |
| <html:pre>#LoadModule usertrack_module modules/mod_usertrack.so</html:pre></html:li><html:li>Dynamically configured mass virtual hosting | |
| <html:pre>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</html:pre></html:li></html:ul> | |
| Minimizing the number of loadable modules available to the web server reduces risk | |
| by limiting the capabilities allowed by the web server.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Directory Restrictions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Directory tags in the web server configuration file allow finer grained access | |
| control for a specified directory. All web directories should be configured on a | |
| case-by-case basis, allowing access only where needed.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Operating System to Protect Web Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following configuration steps should be taken on the system which hosts the | |
| web server, in order to provide as safe an environment as possible for the web server.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict File and Directory Access</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize access to critical <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> files and directories.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_chroot"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run <tt>httpd</tt> in a <tt>chroot</tt> Jail if Practical</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Running <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> inside a <html:code xmlns:html="http://www.w3.org/1999/xhtml">chroot</html:code> jail is designed to isolate the | |
| web server process to a small section of the filesystem, limiting the damage if | |
| it is compromised. Versions of Apache greater than 2.2.10 (such as the one | |
| included with Fedora) provide the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ChrootDir</html:code> directive. To run Apache | |
| inside a chroot jail in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/chroot/apache</html:code>, add the following line to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/httpd/conf/httpd.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ChrootDir /chroot/apache</html:pre> This | |
| necessitates placing all files required by <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code> inside | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/chroot/apache</html:code> , including <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd</html:code>'s binaries, modules, | |
| configuration files, and served web pages. The details of this configuration | |
| are beyond the scope of this guide. This may also require additional SELinux | |
| configuration.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure PERL Securely</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">PERL (Practical Extraction and Report Language) is an interpreted language | |
| optimized for scanning arbitrary text files, extracting information from those | |
| text files, and printing reports based on that information. The language is | |
| often used in shell scripting and is intended to be practical, easy to use, and | |
| efficient means of generating interactive web pages for the user.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Web Server Information Leakage</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ServerTokens</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">ServerSignature</html:code> directives determine how | |
| much information the web server discloses about the configuration of the | |
| system.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_avahi"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Avahi Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Avahi daemon implements the DNS Service Discovery | |
| and Multicast DNS protocols, which provide service and host | |
| discovery on a network. It allows a system to automatically | |
| identify resources on the network, such as printers or web servers. | |
| This capability is also known as mDNSresponder and is a major part | |
| of Zeroconf networking.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disable_avahi_group"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Avahi Server if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Because the Avahi daemon service keeps an open network | |
| port, it is subject to network attacks. | |
| Disabling it can reduce the system's vulnerability to such attacks.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_avahi_configuration"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Avahi if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If your system requires the Avahi daemon, its configuration can be restricted | |
| to improve security. The Avahi daemon configuration file is | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/avahi/avahi-daemon.conf</html:code>. The following security recommendations | |
| should be applied to this file: | |
| See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">avahi-daemon.conf(5)</html:code> man page, or documentation at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.avahi.org">http://www.avahi.org</html:a>, for more detailed information | |
| about the configuration options.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_avahi_disable_publishing" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Avahi Publishing</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To prevent Avahi from publishing its records, edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/avahi/avahi-daemon.conf</html:code> | |
| and ensure the following line appears in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">[publish]</html:code> section: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">disable-publishing=yes</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This helps ensure that no record will be published by Avahi.</rationale> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_xwindows"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">X Window System</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The X Window System implementation included with the | |
| system is called X.org.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_xwindows"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable X Windows</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless there is a mission-critical reason for the | |
| system to run a graphical user interface, ensure X is not set to start | |
| automatically at boot and remove the X Windows software packages. | |
| There is usually no reason to run X Windows | |
| on a dedicated server system, as it increases the system's attack surface and consumes | |
| system resources. Administrators of server systems should instead login via | |
| SSH or on the text console.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove the X Windows Package Group</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By removing the xorg-x11-server-common package, the system no longer has X Windows | |
| installed. If X Windows is not installed then the system cannot boot into graphical user mode. | |
| This prevents the system from being accidentally or maliciously booted into a <html:code xmlns:html="http://www.w3.org/1999/xhtml">graphical.target</html:code> | |
| mode. To do so, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum groupremove "X Window System"</html:pre> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum remove xorg-x11-server-common</html:pre></description> | |
| <reference href="">2.2.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security | |
| vulnerabilities and should not be installed unless approved and documented.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_xorg-x11-server-common_removed" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="disable"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_package_remove" use="legacy"/> | |
| package_remove xorg-x11-server-common | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_xorg-x11-server-common_removed" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="disable">- name: Ensure xorg-x11-server-common is removed | |
| package: | |
| name: "{{item}}" | |
| state: absent | |
| with_items: | |
| - xorg-x11-server-common | |
| tags: | |
| - package_xorg-x11-server-common_removed | |
| - medium_severity | |
| - disable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-17(8).1(ii) | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_xorg-x11-server-common_removed" system="urn:xccdf:fix:script:puppet" complexity="low" disruption="low" strategy="disable">include remove_xorg-x11-server-common | |
| class remove_xorg-x11-server-common { | |
| package { 'xorg-x11-server-common': | |
| ensure => 'purged', | |
| } | |
| } | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_xorg-x11-server-common_removed" system="urn:redhat:anaconda:pre" complexity="low" disruption="low" strategy="disable"> | |
| package --remove=xorg-x11-server-common | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-package_xorg-x11-server-common_removed:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_xwindows_runlevel_target" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable X Windows Startup By Setting Default Target</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Systems that do not require a graphical user interface should only boot by | |
| default into <html:code xmlns:html="http://www.w3.org/1999/xhtml">multi-user.target</html:code> mode. This prevents accidental booting of the system | |
| into a <html:code xmlns:html="http://www.w3.org/1999/xhtml">graphical.target</html:code> mode. Setting the system's default target to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">multi-user.target</html:code> will prevent automatic startup of the X server. To do so, run: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ systemctl set-default multi-user.target</html:pre> | |
| You should see the following output: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">rm '/etc/systemd/system/default.target' | |
| ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Services that are not required for system and application processes | |
| must not be active to decrease the attack surface of the system. X windows has a | |
| long history of security vulnerabilities and should not be used unless approved | |
| and documented.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-xwindows_runlevel_target_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dhcp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DHCP</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Dynamic Host Configuration Protocol (DHCP) allows | |
| systems to request and obtain an IP address and other configuration | |
| parameters from a server. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This guide recommends configuring networking on clients by manually editing | |
| the appropriate files under <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig</html:code>. Use of DHCP can make client | |
| systems vulnerable to compromise by rogue DHCP servers, and should be avoided | |
| unless necessary. If using DHCP is necessary, however, there are best practices | |
| that should be followed to minimize security risk.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_dhcp_client_configuration"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure DHCP Client if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If DHCP must be used, then certain configuration changes can | |
| minimize the amount of information it receives and applies from the network, | |
| and thus the amount of incorrect information a rogue DHCP server could | |
| successfully distribute. For more information on configuring dhclient, see the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhclient(8)</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhclient.conf(5)</html:code> man pages.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize the DHCP-Configured Options</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dhcp/dhclient.conf</html:code>, and add an | |
| appropriate setting for each of the ten configuration settings which can be | |
| obtained via DHCP. For each setting, do one of the following: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the setting should <html:i xmlns:html="http://www.w3.org/1999/xhtml">not</html:i> be configured remotely by the DHCP server, | |
| select an appropriate static value, and add the line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">supersede <html:code>setting value</html:code>;</html:pre> | |
| If the setting should be configured remotely by the DHCP server, add the lines: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">request <html:code>setting</html:code>; | |
| require <html:code>setting</html:code>;</html:pre> | |
| For example, suppose the DHCP server should provide only the IP address itself | |
| and the subnet mask. Then the entire file should look like: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">supersede domain-name "example.com"; | |
| supersede domain-name-servers 192.168.1.2; | |
| supersede nis-domain ""; | |
| supersede nis-servers ""; | |
| supersede ntp-servers "ntp.example.com "; | |
| supersede routers 192.168.1.1; | |
| supersede time-offset -18000; | |
| request subnet-mask; | |
| require subnet-mask;</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">In this example, the options nis-servers and | |
| nis-domain are set to empty strings, on the assumption that the deprecated NIS | |
| protocol is not in use. It is necessary to supersede settings for unused | |
| services so that they cannot be set by a hostile DHCP server. If an option is | |
| set to an empty string, dhclient will typically not attempt to configure the | |
| service.</warning> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the DHCP client program, dhclient, requests and applies | |
| ten configuration options (in addition to the IP address) from the DHCP server. | |
| subnet-mask, broadcast-address, time-offset, routers, domain-name, | |
| domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many | |
| of the options requested and applied by dhclient may be the same for every | |
| system on a network. It is recommended that almost all configuration options be | |
| assigned statically, and only options which must vary on a host-by-host basis | |
| be assigned via DHCP. This limits the damage which can be done by a rogue DHCP | |
| server. If appropriate for your site, it is also possible to supersede the | |
| host-name directive in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dhcp/dhclient.conf</html:code>, establishing a static | |
| hostname for the system. However, dhclient does not use the host name option | |
| provided by the DHCP server (instead using the value provided by a reverse DNS | |
| lookup).</rationale> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DHCP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The DHCP server <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhcpd</html:code> is not installed or activated by | |
| default. If the software was installed and activated, but the | |
| system does not need to act as a DHCP server, it should be disabled | |
| and removed.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure DHCP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system must act as a DHCP server, the configuration | |
| information it serves should be minimized. Also, support for other protocols | |
| and DNS-updating schemes should be explicitly disabled unless needed. The | |
| configuration file for dhcpd is called <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dhcp/dhcpd.conf</html:code>. The file | |
| begins with a number of global configuration options. The remainder of the file | |
| is divided into sections, one for each block of addresses offered by dhcpd, | |
| each of which contains configuration options specific to that address | |
| block.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Served Information</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit /etc/dhcp/dhcpd.conf. Examine each address range section within | |
| the file, and ensure that the following options are not defined unless there is | |
| an operational need to provide this information via DHCP: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">option domain-name | |
| option domain-name-servers | |
| option nis-domain | |
| option nis-servers | |
| option ntp-servers | |
| option routers | |
| option time-offset</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">By default, the Red Hat Enterprise Linux client installation uses DHCP | |
| to request much of the above information from the DHCP server. In particular, | |
| domain-name, domain-name-servers, and routers are configured via DHCP. These | |
| settings are typically necessary for proper network functionality, but are also | |
| usually static across systems at a given site.</warning> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Because the configuration information provided by the DHCP server | |
| could be maliciously provided to clients by a rogue DHCP server, the amount of | |
| information provided via DHCP should be minimized. Remove these definitions | |
| from the DHCP server configuration to ensure that legitimate clients do not | |
| unnecessarily rely on DHCP for this information.</rationale> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DHCP Client</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DHCP is the default network configuration method provided by the system | |
| installer, and common on many networks. Nevertheless, manual management | |
| of IP addresses for systems implies a greater degree of management and | |
| accountability for network activity.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ftp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP is a common method for allowing remote access to | |
| files. Like telnet, the FTP protocol is unencrypted, which means | |
| that passwords and other data transmitted during the session can be | |
| captured and that the session is vulnerable to hijacking. | |
| Therefore, running the FTP server software is not recommended. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| However, there are some FTP server configurations which may | |
| be appropriate for some environments, particularly those which | |
| allow only read-only anonymous access as a means of downloading | |
| data available to the public.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_vsftpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable vsftpd if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To minimize attack surface, disable vsftpd if at all | |
| possible.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If your use-case requires FTP service, install and | |
| set-up vsftpd to provide it.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install vsftpd Package</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If this system must operate as an FTP server, install the <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd</html:code> package via the standard channels. | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum install vsftpd</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security | |
| and for consistency with future Red Hat releases, the use of vsftpd is recommended.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_vsftpd_installed" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_package_install" use="legacy"/> | |
| package_install vsftpd | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_vsftpd_installed" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: Ensure vsftpd is installed | |
| package: | |
| name: "{{item}}" | |
| state: present | |
| with_items: | |
| - vsftpd | |
| tags: | |
| - package_vsftpd_installed | |
| - unknown_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-7 | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_vsftpd_installed" system="urn:xccdf:fix:script:puppet" complexity="low" disruption="low" strategy="enable">include install_vsftpd | |
| class install_vsftpd { | |
| package { 'vsftpd': | |
| ensure => 'installed', | |
| } | |
| } | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_vsftpd_installed" system="urn:redhat:anaconda:pre" complexity="low" disruption="low" strategy="enable"> | |
| package --add=vsftpd | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-package_vsftpd_installed:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure vsftpd to Provide FTP Service if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The primary vsftpd configuration file is | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd.conf</html:code>, if that file exists, or | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</html:code> if it does not.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_ftp_restrict_users"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict the Set of Users Allowed to Access FTP</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to | |
| do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an | |
| identified need for this access.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Access to Anonymous Users if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than | |
| using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">local_enable=NO</html:pre> | |
| If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure | |
| these logins as much as possible.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_limit_users" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit Users Allowed FTP Access if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">userlist_enable=YES | |
| userlist_file=/etc/vsftp.ftpusers | |
| userlist_deny=NO</html:pre> | |
| Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</html:code>. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">USERNAME</html:pre> | |
| If anonymous access is also required, add the anonymous usernames to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</html:code> as well. | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">anonymous | |
| ftp</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Historically, the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ftpusers</html:code> contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option <html:code xmlns:html="http://www.w3.org/1999/xhtml">userlist deny=NO</html:code> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.</rationale> | |
| </Rule> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_present_banner" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create Warning Banners for All FTP Users</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the vsftpd configuration file, which resides at <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</html:code> | |
| by default. Add or correct the following configuration options: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">banner_file=/etc/issue</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This setting will cause the system greeting banner to be used for FTP connections as well.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-ftp_present_banner:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-ftp_present_banner_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_log_transactions" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Logging of All FTP Transactions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add or correct the following configuration options within the <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd</html:code> | |
| configuration file, located at <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">xferlog_enable=YES | |
| xferlog_std_format=NO | |
| log_ftp_protocol=YES</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">If verbose logging to <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd.log</html:code> is done, sparse logging of | |
| downloads to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/xferlog</html:code> will not also occur. However, | |
| the information about what files were downloaded is included in the | |
| information logged to <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd.log</html:code>.</warning> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to | |
| the FTP server are logged using the verbose vsftpd log | |
| format. The default vsftpd log file is <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/vsftpd.log</html:code>.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-ftp_log_transactions:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_configure_firewall" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Firewalls to Protect the FTP Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
| By default, <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> | |
| blocks access to the ports used by the web server. | |
| To configure <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> to allow port 21 traffic, one must edit | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code> (if IPv6 is in use). | |
| Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT</html:pre> | |
| Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables-config</html:code>. Ensure that the space-separated list of modules contains | |
| the FTP connection tracking module: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPTABLES_MODULES="ip_conntrack_ftp"</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">These settings configure the firewall to allow connections to an FTP server. | |
| The first line allows initial connections to the FTP server port. | |
| FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client | |
| and server negotiate an arbitrary port to be used for data transfer. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip_conntrack_ftp</html:code> module is used by | |
| iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an | |
| FTP server to operate on a system which is running a firewall.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable FTP Uploads if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Is there a mission-critical reason for users to upload files via FTP? If not, | |
| edit the vsftpd configuration file to add or correct the following configuration options: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">write_enable=NO</html:pre> | |
| If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions | |
| as much as possible.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Anonymous FTP can be a convenient way to make files available for universal download. However, it is less | |
| common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it | |
| is necessary to ensure that files cannot be uploaded and downloaded from the same directory.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_ftp_home_partition" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Place the FTP Home Directory on its Own Partition</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the anonymous FTP root is the home directory of the FTP user account. The df command can | |
| be used to verify that this directory is on its own partition.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent | |
| these users from filling a disk used by other services.</rationale> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_smb"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Samba(SMB) Microsoft Windows File Sharing Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When properly configured, the Samba service allows | |
| Linux systems to provide file and print sharing to Microsoft | |
| Windows systems. There are two software packages that provide | |
| Samba support. The first, <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba-client</html:code>, provides a series of | |
| command line tools that enable a client system to access Samba | |
| shares. The second, simply labeled <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba</html:code>, provides the Samba | |
| service. It is this second package that allows a Linux system to | |
| act as an Active Directory server, a domain controller, or as a | |
| domain member. Only the <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba-client</html:code> package is installed by | |
| default.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_samba"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Samba if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Even after the Samba server package has been installed, it | |
| will remain disabled. Do not enable this service unless it is | |
| absolutely necessary to provide Microsoft Windows file and print | |
| sharing functionality.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_configuring_samba"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Samba if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All settings for the Samba daemon can be found in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>. Settings are divided between a | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">[global]</html:code> configuration section and a series of user | |
| created share definition sections meant to describe file or print | |
| shares on the system. By default, Samba will operate in user mode | |
| and allow client systems to access local home directories and | |
| printers. It is recommended that these settings be changed or that | |
| additional limitations be set in place.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict SMB File Sharing to Configured Networks</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Only users with local user accounts will be able to log in to | |
| Samba shares by default. Shares can be limited to particular users or network | |
| addresses. Use the <html:code xmlns:html="http://www.w3.org/1999/xhtml">hosts allow</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">hosts deny</html:code> directives | |
| accordingly, and consider setting the valid users directive to a limited subset | |
| of users or to a group of users. Separate each address, user, or user group | |
| with a space as follows for a particular <html:i xmlns:html="http://www.w3.org/1999/xhtml">share</html:i> or global: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[<html:i>share</html:i>] | |
| hosts allow = 192.168.1. 127.0.0.1 | |
| valid users = userone usertwo @usergroup</html:pre> | |
| It is also possible to limit read and write access to particular users with the | |
| read list and write list options, though the permissions set by the system | |
| itself will override these settings. Set the read only attribute for each share | |
| to ensure that global settings will not accidentally override the individual | |
| share settings. Then, as with the valid users directive, separate each user or | |
| group of users with a space: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[<html:i>share</html:i>] | |
| read only = yes | |
| write list = userone usertwo @usergroup</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_smb_disable_printing"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Printer Sharing</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, Samba utilizes the CUPS printing service to enable | |
| printer sharing with Microsoft Windows workstations. If there are no printers | |
| on the local system, or if printer sharing with Microsoft Windows is not | |
| required, disable the printer sharing capability by commenting out the | |
| following lines, found in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[global] | |
| load printers = yes | |
| cups options = raw | |
| [printers] | |
| comment = All Printers | |
| path = /usr/spool/samba | |
| browseable = no | |
| guest ok = no | |
| writable = no | |
| printable = yes</html:pre> | |
| There may be other options present, but these are the only options enabled and | |
| uncommented by default. Removing the <html:code xmlns:html="http://www.w3.org/1999/xhtml">[printers]</html:code> share should be enough | |
| for most users. If the Samba printer sharing capability is needed, consider | |
| disabling the Samba network browsing capability or restricting access to a | |
| particular set of users or network addresses. Set the <html:code xmlns:html="http://www.w3.org/1999/xhtml">valid users</html:code> | |
| parameter to a small subset of users or restrict it to a particular group of | |
| users with the shorthand <html:code xmlns:html="http://www.w3.org/1999/xhtml">@</html:code>. Separate each user or group of users with | |
| a space. For example, under the <html:code xmlns:html="http://www.w3.org/1999/xhtml">[printers]</html:code> share: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[printers] | |
| valid users = user @printerusers</html:pre></description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_docker"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Docker Service</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The docker service is necessary to create containers, which are | |
| self-sufficient and self-contained applications using the resource | |
| isolation features of the kernel.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dns"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DNS Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most organizations have an operational need to run at | |
| least one nameserver. However, there are many common attacks | |
| involving DNS server software, and this server software should | |
| be disabled on any system | |
| on which it is not needed.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_dns_server"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DNS Server</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DNS software should be disabled on any systems which does not | |
| need to be a nameserver. Note that the BIND DNS server software is | |
| not installed on Fedora by default. The remainder of this section | |
| discusses secure configuration of systems which must be | |
| nameservers.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_isolation"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Isolate DNS from Other Services</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses mechanisms for preventing the DNS server | |
| from interfering with other services. This is done both to protect the | |
| remainder of the network should a nameserver be compromised, and to make direct | |
| attacks on nameservers more difficult.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_chroot"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run DNS Software in a chroot Jail</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install the <html:code xmlns:html="http://www.w3.org/1999/xhtml">bind-chroot</html:code> package: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum install bind-chroot</html:pre> | |
| Place a valid named.conf file inside the chroot jail: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf | |
| $ sudo chown root:root /var/named/chroot/etc/named.conf | |
| $ sudo chmod 644 /var/named/chroot/etc/named.conf</html:pre> | |
| Create and populate an appropriate zone directory within the jail, based on the | |
| options directive. If your <html:code xmlns:html="http://www.w3.org/1999/xhtml">named.conf</html:code> includes: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">options { | |
| directory "/path/to/DIRNAME "; | |
| ... | |
| }</html:pre> | |
| then copy that directory and its contents from the original zone directory: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME</html:pre> | |
| Add or correct the following line within <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/named</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ROOTDIR=/var/named/chroot</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">If you are running BIND in a chroot jail, then you | |
| should use the jailed <html:code xmlns:html="http://www.w3.org/1999/xhtml">named.conf</html:code> as the primary nameserver | |
| configuration file. That is, when this guide recommends editing | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/named.conf</html:code>, you should instead edit | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/named/chroot/etc/named.conf</html:code>.</warning> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_dedicated"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run DNS Software on Dedicated Servers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Since DNS is | |
| a high-risk service which must frequently be made available to the entire | |
| Internet, it is strongly recommended that no other services be offered by | |
| systems which act as organizational DNS servers.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_protection"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect DNS Data from Tampering or Attack</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses DNS configuration options which make it | |
| more difficult for attackers to gain access to private DNS data or to modify | |
| DNS data.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run Separate DNS Servers for External and Internal Queries</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Is it possible to run external and internal nameservers on | |
| separate systems? If so, follow the configuration guidance in this section. On | |
| the external nameserver, edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/named.conf</html:code> to add or correct the | |
| following directives: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">options { | |
| allow-query { any; }; | |
| recursion no; | |
| ... | |
| }; | |
| zone "example.com " IN { | |
| ... | |
| };</html:pre> | |
| On the internal nameserver, edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/named.conf</html:code>. Add or correct the | |
| following directives, where SUBNET is the numerical IP representation of your | |
| organization in the form xxx.xxx.xxx.xxx/xx: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">acl internal { | |
| SUBNET ; | |
| localhost; | |
| }; | |
| options { | |
| allow-query { internal; }; | |
| ... | |
| }; | |
| zone "internal.example.com " IN { | |
| ... | |
| };</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_dns_server_partition_with_views"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Views to Partition External and Internal Information</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is not possible to run external and internal nameservers on | |
| separate physical systems, run BIND9 and simulate this feature using views. | |
| Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/named.conf</html:code>. Add or correct the following directives (where | |
| SUBNET is the numerical IP representation of your organization in the form | |
| xxx.xxx.xxx.xxx/xx): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">acl internal { | |
| SUBNET ; | |
| localhost; | |
| }; | |
| view "internal-view" { | |
| match-clients { internal; }; | |
| zone "." IN { | |
| type hint; | |
| file "db.cache"; | |
| }; | |
| zone "internal.example.com " IN { | |
| ... | |
| }; | |
| }; | |
| view "external-view" { | |
| match-clients { any; }; | |
| recursion no; | |
| zone "example.com " IN { | |
| ... | |
| }; | |
| };</html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">As shown in the example, database files which are | |
| required for recursion, such as the root hints file, must be available to any | |
| clients which are allowed to make recursive queries. Under typical | |
| circumstances, this includes only the internal clients which are allowed to use | |
| this server as a general-purpose nameserver.</warning> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_and_rpc"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">NFS and RPC</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network File System is a popular distributed filesystem for | |
| the Unix environment, and is very widely deployed. This section discusses the | |
| circumstances under which it is possible to disable NFS and its dependencies, | |
| and then details steps which should be taken to secure | |
| NFS's configuration. This section is relevant to systems operating as NFS | |
| clients, as well as to those operating as NFS servers.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_servers"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure NFS Servers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for systems which operate as NFS servers.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Access Lists to Enforce Authorization Restrictions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When configuring NFS exports, ensure that each export line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> contains | |
| a list of hosts which are allowed to access that export. If no hosts are specified on an export line, | |
| then that export is available to any remote host which requests it. All lines of the exports file should | |
| specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that | |
| unknown or remote hosts will be denied. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Authorized hosts can be specified in several different formats: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Name or alias that is recognized by the resolver</html:li><html:li>Fully qualified domain name</html:li><html:li>IP address</html:li><html:li>IP subnets in the format <html:code>address/netmask</html:code> or <html:code>address/CIDR</html:code></html:li></html:ul></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_export_filesystems_read_only"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Export Filesystems Read-Only if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a filesystem is being exported so that users can view the files in a convenient | |
| fashion, but there is no need for users to edit those files, exporting the filesystem read-only | |
| removes an attack vector against the server. The default filesystem export mode is <html:code xmlns:html="http://www.w3.org/1999/xhtml">ro</html:code>, | |
| so do not specify <html:code xmlns:html="http://www.w3.org/1999/xhtml">rw</html:code> without a good reason.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_configure_exports_restrictively"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the Exports File Restrictively</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux's NFS implementation uses the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> to control what filesystems | |
| and directories may be accessed via NFS. (See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">exports(5)</html:code> manpage for more information about the | |
| format of this file.) | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The syntax of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">exports</html:code> file is not necessarily checked fully on reload, and syntax errors | |
| can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying | |
| the file. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The syntax of each line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> is: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">/DIR host1(opt1,opt2) host2(opt3)</html:pre> | |
| where <html:code xmlns:html="http://www.w3.org/1999/xhtml">/DIR</html:code> is a directory or filesystem to export, <html:code xmlns:html="http://www.w3.org/1999/xhtml">hostN</html:code> is an IP address, netblock, | |
| hostname, domain, or netgroup to which to export, and <html:code xmlns:html="http://www.w3.org/1999/xhtml">optN</html:code> is an option.</description> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict NFS Clients to Privileged Ports</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the server NFS implementation requires that all client requests be made | |
| from ports less than 1024. If your organization has control over systems connected to its | |
| network, and if NFS requests are prohibited at the border firewall, this offers some protection | |
| against malicious requests from unprivileged users. Therefore, the default should not be changed. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To ensure that the default has not been changed, ensure no line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> contains the option <html:code xmlns:html="http://www.w3.org/1999/xhtml">insecure</html:code>.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing client requests to be made from ports higher than 1024 could allow a unprivileged | |
| user to initiate an NFS connection. If the unprivileged user account has been compromised, an | |
| attacker could gain access to data on the NFS server.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Root-Squashing on All Exports</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a filesystem is exported using root squashing, requests from root on the client | |
| are considered to be unprivileged (mapped to a user such as nobody). This provides some mild | |
| protection against remote abuse of an NFS server. Root squashing is enabled by default, and | |
| should not be disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Ensure that no line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> contains the option <html:code xmlns:html="http://www.w3.org/1999/xhtml">no_root_squash</html:code>.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the NFS server allows root access to local file systems from remote hosts, this | |
| access could be used to compromise the system.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_all_squash_exports" selected="false" severity="low"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All-Squashing Disabled On All Exports</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">all_squash</html:code> maps all uids and gids to an anonymous user. | |
| This should be disabled by removing any instances of the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">all_squash</html:code> option from the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The all_squash option maps all client requests to a single anonymous | |
| uid/gid on the NFS server, negating the ability to track file access | |
| by user ID.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Insecure File Locking is Not Allowed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default the NFS server requires secure file-lock requests, | |
| which require credentials from the client in order to lock a file. Most NFS | |
| clients send credentials with file lock requests, however, there are a few | |
| clients that do not send credentials when requesting a file-lock, allowing the | |
| client to only be able to lock world-readable files. To get around this, the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">insecure_locks</html:code> option can be used so these clients can access the | |
| desired export. This poses a security risk by potentially allowing the client | |
| access to data for which it does not have authorization. | |
| Remove any instances of the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">insecure_locks</html:code> option from the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000764</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing insecure file locking could allow for sensitive data to be | |
| viewed or edited by an unauthorized user.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-no_insecure_locks_exports:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_insecure_locks_exports_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure All Systems which Use NFS</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for all systems which | |
| run NFS, whether they operate as clients or as servers.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Make Each System a Client or a Server, not Both</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If NFS must be used, it should be deployed in the simplest | |
| configuration possible to avoid maintainability problems which may lead to | |
| unnecessary security exposure. Due to the reliability and security problems | |
| caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems | |
| which act as NFS servers to also mount filesystems via NFS. At the least, | |
| crossed mounts (the situation in which each of two servers mounts a filesystem | |
| from the other) should never be used.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Firewalling should be done at each host and at the border | |
| firewalls to protect the NFS daemons from remote access, since NFS servers | |
| should never be accessible from outside the organization. However, by default | |
| for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port | |
| dynamically at service startup time. Dynamic ports cannot be protected by port | |
| filtering firewalls such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Therefore, restrict each service to always use a given port, so that | |
| firewalling can be done effectively. Note that, because of the way RPC is | |
| implemented, it is not possible to disable the RPC Bind service even if ports | |
| are assigned statically to all RPC services. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| In NFSv4, the mounting and locking protocols have been incorporated into the | |
| protocol, and the server listens on the the well-known TCP port 2049. As such, | |
| NFSv4 does not need to interact with the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcbind, lockd, and rpc.statd</html:code> | |
| daemons, which can and should be disabled in a pure NFSv4 environment. The | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpc.mountd</html:code> daemon is still required on the NFS server to setup | |
| exports, but is not involved in any over-the-wire operations.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure lockd to use static TCP port</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">lockd</html:code> daemon to use a static TCP port as | |
| opposed to letting the RPC Bind service dynamically assign a port. Edit the | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</html:code>. Add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">LOCKD_TCPPORT=lockd-port</html:pre> | |
| Where <html:code xmlns:html="http://www.w3.org/1999/xhtml">lockd-port</html:code> is a port which is not used by any other service on | |
| your network.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict service to always use a given port, so that firewalling can be done | |
| effectively.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure lockd to use static UDP port</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">lockd</html:code> daemon to use a static UDP port as | |
| opposed to letting the RPC Bind service dynamically assign a port. Edit the | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</html:code>. Add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">LOCKD_UDPPORT=lockd-port</html:pre> | |
| Where <html:code xmlns:html="http://www.w3.org/1999/xhtml">lockd-port</html:code> is a port which is not used by any other service on | |
| your network.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restricting services to always use a given port enables firewalling | |
| to be done more effectively.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure mountd to use static port</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mountd</html:code> daemon to use a static port as | |
| opposed to letting the RPC Bind service dynamically assign a port. Edit the | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</html:code>. Add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">MOUNTD_PORT=statd-port</html:pre> | |
| Where <html:code xmlns:html="http://www.w3.org/1999/xhtml">mountd-port</html:code> is a port which is not used by any other service on your network.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restricting services to always use a given port enables firewalling | |
| to be done more effectively.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure statd to use static port</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">statd</html:code> daemon to use a static port as | |
| opposed to letting the RPC Bind service dynamically assign a port. Edit the | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</html:code>. Add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">STATD_PORT=statd-port</html:pre> | |
| Where <html:code xmlns:html="http://www.w3.org/1999/xhtml">statd-port</html:code> is a port which is not used by any other service on your network.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restricting services to always use a given port enables firewalling | |
| to be done more effectively.</rationale> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_nfs"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable All NFS Services if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If there is not a reason for the system to operate as either an | |
| NFS client or an NFS server, follow all instructions in this section to disable | |
| subsystems required by NFS.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">The steps in this section will prevent a system | |
| from operating as either an NFS client or an NFS server. Only perform these | |
| steps on systems which do not need NFS at all.</warning> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_nfs_services"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Services Used Only by NFS</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| All of these daemons run with elevated privileges, and many listen for network | |
| connections. If they are not needed, they should be disabled to improve system | |
| security posture.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable RPC ID Mapping Service (rpcidmapd)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rpcidmapd service is used to map user names and groups to UID | |
| and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then | |
| this service should be disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcidmapd</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable rpcidmapd.service</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Secure RPC Client Service (rpcgssd)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rpcgssd service manages RPCSEC GSS contexts required to secure protocols | |
| that use RPC (most often Kerberos and NFS). The rpcgssd service is the | |
| client-side of RPCSEC GSS. If the system does not require secure RPC then this | |
| service should be disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcgssd</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable rpcgssd.service</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Network File System Lock Service (nfslock)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network File System Lock (nfslock) service starts the required | |
| remote procedure call (RPC) processes which allow clients to lock files on the | |
| server. If the local system is not configured to mount NFS filesystems then | |
| this service should be disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfslock</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable nfslock.service</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_netfs"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable netfs if Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To determine if any network filesystems handled by netfs are | |
| currently mounted on the system execute the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</html:pre> | |
| If the command did not return any output then disable netfs.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_netfs_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Network File Systems (netfs)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The netfs script manages the boot-time mounting of several types | |
| of networked filesystems, of which NFS and Samba are the most common. If these | |
| filesystem types are not in use, the script can be disabled, protecting the | |
| system somewhat against accidental or malicious changes to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code> | |
| and against flaws in the netfs script itself. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">netfs</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable netfs.service</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_clients"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure NFS Clients</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for systems which operate as NFS clients.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_nfsd"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable NFS Server Daemons</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">There is no need to run the NFS server daemons <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfs</html:code> and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcsvcgssd</html:code> except on a small number of properly secured systems | |
| designated as NFS servers. Ensure that these daemons are turned off on | |
| clients.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Secure RPC Server Service (rpcsvcgssd)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rpcsvcgssd service manages RPCSEC GSS contexts required to | |
| secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd | |
| service is the server-side of RPCSEC GSS. If the system does not require secure | |
| RPC then this service should be disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcsvcgssd</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable rpcsvcgssd.service</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_nfs_no_anonymous" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify UID and GID for Anonymous NFS Connections</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify the UID and GID for remote root users, edit the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> file and add the following for each export: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| anonuid=<html:code>value greater than UID_MAX from /etc/login.defs</html:code> | |
| anongid=<html:code>value greater than GID_MAX from /etc/login.defs</html:code> | |
| </html:pre> | |
| Note that a value of "-1" is technically acceptable as this will randomize the <html:code xmlns:html="http://www.w3.org/1999/xhtml">anonuid</html:code> and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">anongid</html:code> values on a Red Hat Enterprise Linux 6 based NFS server. While acceptable from a security perspective, | |
| a value of <html:code xmlns:html="http://www.w3.org/1999/xhtml">-1</html:code> may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. | |
| Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying the anonymous UID and GID ensures that the remote root user is mapped | |
| to a local account which has no permissions on the system.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-nfs_no_anonymous_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_nfs_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Network File System (nfs)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network File System (NFS) service allows remote hosts to mount | |
| and interact with shared filesystems on the local system. If the local system | |
| is not designated as a NFS server then this service should be disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfs</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable nfs.service</html:pre></description> | |
| <reference href="">2.2.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_nfs_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mount Remote Filesystems with Restrictive Options</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code>. For each filesystem whose type | |
| (column 3) is <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfs</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfs4</html:code>, add the text | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">,nodev,nosuid</html:code> to the list of mount options in column 4. If | |
| appropriate, also add <html:code xmlns:html="http://www.w3.org/1999/xhtml">,noexec</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| See the section titled "Restrict Partition Mount Options" for a description of | |
| the effects of these options. In general, execution of files mounted via NFS | |
| should be considered risky because of the possibility that an adversary could | |
| intercept the request and substitute a malicious file. Allowing setuid files to | |
| be executed from remote servers is particularly risky, both for this reason and | |
| because it requires the clients to extend root-level trust to the NFS | |
| server.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_printing"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Print Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Common Unix Printing System (CUPS) service provides both local | |
| and network printing support. A system running the CUPS service can accept | |
| print jobs from other systems, process them, and send them to the appropriate | |
| printer. It also provides an interface for remote administration through a web | |
| browser. The CUPS service is installed and activated by default. The project | |
| homepage and more detailed documentation are available at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.cups.org">http://www.cups.org</html:a>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/></description> | |
| <Group id="xccdf_org.ssgproject.content_group_configure_printing"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the CUPS Service if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">CUPS provides the ability to easily share local printers with | |
| other systems over the network. It does this by allowing systems to share | |
| lists of available printers. Additionally, each system that runs the CUPS | |
| service can potentially act as a print server. Whenever possible, the printer | |
| sharing and print server capabilities of CUPS should be limited or disabled. | |
| The following recommendations should demonstrate how to do just that.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_system"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System Settings</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Contains rules that check correct system settings.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_network"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Configuration and Firewalls</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most systems must be connected to a network of some | |
| sort, and this brings with it the substantial risk of network | |
| attack. This section discusses the security impact of decisions | |
| about networking which must be made when configuring a system. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This section also discusses firewalls, network access | |
| controls, and other network security frameworks, which allow | |
| system-level rules to be written that can limit an attackers' ability | |
| to connect to your system. These rules can specify that network | |
| traffic should be allowed or denied from certain IP addresses, | |
| hosts, and networks. The rules can also specify which of the | |
| system's network services are available to particular hosts or | |
| networks.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_network-ipv6"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IPv6</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for Internet Protocol | |
| version 6. A major and often-mentioned improvement over IPv4 is its | |
| enormous increase in the number of available addresses. Another | |
| important feature is its support for automatic configuration of | |
| many network settings.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_ipv6"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Support for IPv6 Unless Needed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Despite configuration that suggests support for IPv6 has | |
| been disabled, link-local IPv6 address auto-configuration occurs | |
| even when only an IPv4 address is assigned. The only way to | |
| effectively prevent execution of the IPv6 networking stack is to | |
| instruct the system not to activate the IPv6 kernel module.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Interface Usage of IPv6</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable interface usage of IPv6, add or correct the following lines in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">NETWORKING_IPV6=no | |
| IPV6INIT=no</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To prevent the IPv6 kernel module (<html:code xmlns:html="http://www.w3.org/1999/xhtml">ipv6</html:code>) from binding to the | |
| IPv6 networking stack, add the following line to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d/disabled.conf</html:code> (or another file in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">options ipv6 disable=1</html:pre> | |
| This permits the IPv6 module to be loaded (and thus satisfy other modules that | |
| depend on it), while disabling support for the IPv6 protocol.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Any unnecessary network stacks - including IPv6 - should be disabled, to reduce | |
| the vulnerability to exploitation.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Support for RPC IPv6</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">RPC services for NFSv4 try to load transport modules for | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">udp6</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">tcp6</html:code> by default, even if IPv6 has been disabled in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>. To prevent RPC services such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpc.mountd</html:code> | |
| from attempting to start IPv6 network listeners, remove or comment out the | |
| following two lines in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/netconfig</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">udp6 tpi_clts v inet6 udp - - | |
| tcp6 tpi_cots_ord v inet6 tcp - -</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable support for (<html:code xmlns:html="http://www.w3.org/1999/xhtml">ipv6</html:code>) add the following line to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.d/ipv6.conf</html:code> (or another file in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.d</html:code>): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.disable_ipv6 = 1</html:pre> | |
| This disables IPv6 on all network interfaces as other services and system | |
| functionality require the IPv6 stack loaded to work.</description> | |
| <reference href="">3.3.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Any unnecessary network stacks - including IPv6 - should be disabled, to reduce | |
| the vulnerability to exploitation.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sysctl_net_ipv6_conf_all_disable_ipv6" system="urn:xccdf:fix:script:ansible" reboot="true" complexity="low" disruption="medium" strategy="disable">- name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1 | |
| sysctl: | |
| name: net.ipv6.conf.all.disable_ipv6 | |
| value: 1 | |
| state: present | |
| reload: yes | |
| tags: | |
| - sysctl_net_ipv6_conf_all_disable_ipv6 | |
| - medium_severity | |
| - disable_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-7 | |
| - NIST-800-171-3.1.20 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_configuring_ipv6"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure IPv6 Settings if Necessary</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A major feature of IPv6 is the extent to which systems | |
| implementing it can automatically configure their networking | |
| devices using information from the network. From a security | |
| perspective, manually configuring important configuration | |
| information is preferable to accepting it from the network | |
| in an unauthenticated fashion.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Automatic Configuration</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the system's acceptance of router | |
| advertisements and redirects by adding or correcting the following | |
| line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</html:code> (note that this does not disable | |
| sending router solicitations): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6_AUTOCONF=no</html:pre></description> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_source_route_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.default.accept_source_route</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trackers could be using source-routed packets to | |
| generate traffic that seems to be intra-net, but actually was | |
| created outside and has been redirected.</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_source_route_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.all.accept_source_route</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trackers could be using source-routed packets to | |
| generate traffic that seems to be intra-net, but actually was | |
| created outside and has been redirected.</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.default.accept_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle ICMP Redirect Acceptance By Default</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysconfig_network_IPV6_AUTOCONF_value" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IPV6_AUTOCONF</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle global IPv6 auto-configuration (only, if global | |
| forwarding is disabled)</description> | |
| <value>no</value> | |
| <value selector="disabled">no</value> | |
| <value selector="enabled">yes</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.all.accept_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle ICMP Redirect Acceptance</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.all.accept_ra</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accept all router advertisements?</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.default.accept_ra</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accept default router advertisements by default?</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_forwarding_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.all.forwarding</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle IPv6 Forwarding</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Accepting IPv6 Redirects By Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects = 0</html:pre></description> | |
| <reference href="">3.3.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An illicit ICMP redirect message could result in a man-in-the-middle attack.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Accepting IPv6 Router Advertisements by Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra = 0</html:pre></description> | |
| <reference href="">3.3.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An illicit router advertisement message could result in a man-in-the-middle attack.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To limit the configuration information requested from other | |
| systems and accepted from the network on a system that uses | |
| statically-configured IPv6 addresses, add the following lines to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.router_solicitations = 0 | |
| net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
| net.ipv6.conf.default.accept_ra_pinfo = 0 | |
| net.ipv6.conf.default.accept_ra_defrtr = 0 | |
| net.ipv6.conf.default.autoconf = 0 | |
| net.ipv6.conf.default.dad_transmits = 0 | |
| net.ipv6.conf.default.max_addresses = 1</html:pre> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">router_solicitations</html:code> setting determines how many router | |
| solicitations are sent when bringing up the interface. If addresses are | |
| statically assigned, there is no need to send any solicitations. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">accept_ra_pinfo</html:code> setting controls whether the system will accept | |
| prefix info from the router. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">accept_ra_defrtr</html:code> setting controls whether the system will accept | |
| Hop Limit settings from a router advertisement. Setting it to 0 prevents a | |
| router from changing your default IPv6 Hop Limit for outgoing packets. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">autoconf</html:code> setting controls whether router advertisements can cause | |
| the system to assign a global unicast address to an interface. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">dad_transmits</html:code> setting determines how many neighbor solicitations | |
| to send out per address (global and link-local) when bringing up an interface | |
| to ensure the desired address is unique on the network. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">max_addresses</html:code> setting determines how many global unicast IPv6 | |
| addresses can be assigned to each interface. The default is 16, but it should | |
| be set to exactly the number of statically configured global addresses | |
| required.</description> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Privacy Extensions for Address</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To introduce randomness into the automatic generation of IPv6 | |
| addresses, add or correct the following line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6_PRIVACY=rfc3041</html:pre> | |
| Automatically-generated IPv6 addresses are based on the underlying hardware | |
| (e.g. Ethernet) address, and so it becomes possible to track a piece of | |
| hardware over its lifetime using its traffic. If it is important for a system's | |
| IP address to not trivially reveal its hardware address, this setting should be | |
| applied.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-network_ipv6_privacy_extensions:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manually Assign IPv6 Router Address</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:code>, and add or correct | |
| the following line (substituting your gateway IP as appropriate): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6_DEFAULTGW=2001:0DB8::0001</html:pre> | |
| Router addresses should be manually set and not accepted via any | |
| auto-configuration or router advertisement.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_static_address" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manually Assign Global IPv6 Address</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To manually assign an IP address for an interface, edit the | |
| file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:code>. Add or correct the | |
| following line (substituting the correct IPv6 address): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6ADDR=2001:0DB8::ABCD/64</html:pre> | |
| Manually assigning an IP address is preferable to accepting one from routers or | |
| from the network otherwise. The example address here is an IPv6 address | |
| reserved for documentation purposes, as defined by RFC3849.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-iptables"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">iptables and ip6tables</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A host-based firewall called <html:code xmlns:html="http://www.w3.org/1999/xhtml">netfilter</html:code> is included as | |
| part of the Linux kernel distributed with the system. It is | |
| activated by default. This firewall is controlled by the program | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code>, and the entire capability is frequently referred to by | |
| this name. An analogous program called <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> handles filtering | |
| for IPv6. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Unlike TCP Wrappers, which depends on the network server | |
| program to support and respect the rules written, <html:code xmlns:html="http://www.w3.org/1999/xhtml">netfilter</html:code> | |
| filtering occurs at the kernel level, before a program can even | |
| process the data from the network packet. As such, any program on | |
| the system is affected by the rules written. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This section provides basic information about strengthening | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> configurations included with the system. | |
| For more complete information that may allow the construction of a | |
| sophisticated ruleset tailored to your environment, please consult | |
| the references at the end of this section.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Strengthen the Default Ruleset</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default rules can be strengthened. The system | |
| scripts that activate the firewall rules expect them to be defined | |
| in the configuration files <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> in the directory | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig</html:code>. Many of the lines in these files are similar | |
| to the command line arguments that would be provided to the programs | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/iptables</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/ip6tables</html:code> - but some are quite | |
| different. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The following recommendations describe how to strengthen the | |
| default ruleset configuration file. An alternative to editing this | |
| configuration file is to create a shell script that makes calls to | |
| the iptables program to load in rules, and then invokes service | |
| iptables save to write those loaded rules to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables.</html:code> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The following alterations can be made directly to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>. | |
| Instructions apply to both unless otherwise noted. Language and address | |
| conventions for regular iptables are used throughout this section; | |
| configuration for ip6tables will be either analogous or explicitly | |
| covered.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">The program <html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-securitylevel</html:code> | |
| allows additional services to penetrate the default firewall rules | |
| and automatically adjusts <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>. This program | |
| is only useful if the default ruleset meets your security | |
| requirements. Otherwise, this program should not be used to make | |
| changes to the firewall configuration because it re-writes the | |
| saved configuration file.</warning> | |
| <Group id="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log and Drop Packets with Suspicious Source Addresses</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the | |
| modified policy will reject non-matching packets, you only need to add these rules if you are interested in also | |
| logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious | |
| traffic, add identical rules with a target of <html:code xmlns:html="http://www.w3.org/1999/xhtml">DROP</html:code> after each <html:i xmlns:html="http://www.w3.org/1999/xhtml">LOG</html:i>. | |
| To log and then drop these IPv4 packets, insert the following rules in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> (excepting | |
| any that are intentionally used): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " | |
| -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " | |
| -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " | |
| -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " | |
| -A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " | |
| -A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "</html:pre> | |
| Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected | |
| on your network: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " | |
| -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
| -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "</html:pre> | |
| If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " | |
| -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "</html:pre> | |
| If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and | |
| do not plan to have any services that multicast to the entire local network), you can block the link-local | |
| all-nodes multicast address (before accepting incoming ICMPv6): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "</html:pre> | |
| However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should | |
| then consider logging the non-routable IPv4-compatible addresses: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " | |
| -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " | |
| -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " | |
| -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "</html:pre> | |
| If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " | |
| -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "</html:pre> | |
| The following rule will log all traffic originating from a site-local address, which is deprecated address space: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_iptables_icmp_disabled"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict ICMP Message Types</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>, the accepted ICMP messages | |
| types can be restricted. To accept only ICMP echo reply, destination | |
| unreachable, and time exceeded messages, remove the line:<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type any -j ACCEPT</html:pre> | |
| and insert the lines: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
| -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT</html:pre> | |
| To allow the system to respond to pings, also insert the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type echo-request -j ACCEPT</html:pre> | |
| Ping responses can also be limited to certain networks or hosts by using the -s | |
| option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is | |
| preferable to deny the ICMPv6 packets you know you don't need (e.g. ping | |
| requests) in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>, while letting everything else | |
| through: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP</html:pre> | |
| If you are going to statically configure the system's address, it should | |
| ignore Router Advertisements which could add another IPv6 address to the | |
| interface or alter important network settings: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</html:pre> | |
| Restricting ICMPv6 message types in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code> is not | |
| recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great | |
| care must be taken if any other ICMPv6 types are blocked.</description> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_iptables_default_rule" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Default iptables Policy for Incoming Packets</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
| the built-in INPUT chain which processes incoming packets, | |
| add or correct the following line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">:INPUT DROP [0:0]</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> the default policy is applied only after all | |
| the applicable rules in the table are examined for a match. Setting the | |
| default policy to <html:code xmlns:html="http://www.w3.org/1999/xhtml">DROP</html:code> implements proper design for a firewall, i.e. | |
| any packets which are not explicitly permitted should not be | |
| accepted.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Default iptables Policy for Forwarded Packets</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
| the built-in FORWARD chain which processes packets that will be forwarded from | |
| one interface to another, | |
| add or correct the following line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">:FORWARD DROP [0:0]</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code>, the default policy is applied only after all | |
| the applicable rules in the table are examined for a match. Setting the | |
| default policy to <html:code xmlns:html="http://www.w3.org/1999/xhtml">DROP</html:code> implements proper design for a firewall, i.e. | |
| any packets which are not explicitly permitted should not be | |
| accepted.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_iptables_activation"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Inspect and Activate Default Rules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">View the currently-enforced <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> rules by running | |
| the command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo iptables -nL --line-numbers</html:pre> | |
| The command is analogous for <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the firewall does not appear to be active (i.e., no rules | |
| appear), activate it and ensure that it starts at boot by issuing | |
| the following commands (and analogously for <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code>): | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service iptables restart</html:pre> | |
| The default iptables rules are: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT) | |
| num target prot opt source destination | |
| 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED | |
| 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 | |
| 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 | |
| 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 | |
| 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited | |
| Chain FORWARD (policy ACCEPT) | |
| num target prot opt source destination | |
| 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited | |
| Chain OUTPUT (policy ACCEPT) | |
| num target prot opt source destination</html:pre> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> default rules are essentially the same.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_iptables_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify iptables Enabled</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> service can be enabled with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl enable iptables.service</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> service provides the system's host-based firewalling | |
| capability for IPv4 and ICMP.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_iptables_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_ip6tables_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify ip6tables Enabled if Using IPv6</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> service can be enabled with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl enable ip6tables.service</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> service provides the system's host-based firewalling | |
| capability for IPv6 and ICMPv6.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_ip6tables_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Default ip6tables Policy for Incoming Packets</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
| the built-in INPUT chain which processes incoming packets, | |
| add or correct the following line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">:INPUT DROP [0:0]</html:pre> | |
| If changes were required, reload the ip6tables rules: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service ip6tables reload</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code>, the default policy is applied only after all | |
| the applicable rules in the table are examined for a match. Setting the | |
| default policy to <html:code xmlns:html="http://www.w3.org/1999/xhtml">DROP</html:code> implements proper design for a firewall, i.e. | |
| any packets which are not explicitly permitted should not be | |
| accepted.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-kernel"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Kernel Parameters Which Affect Networking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">sysctl</html:code> utility is used to set | |
| parameters which affect the operation of the Linux kernel. Kernel parameters | |
| which affect networking and have security implications are described here.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Related Kernel Runtime Parameters for Hosts and Routers</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Certain kernel parameters should be set for systems which are | |
| acting as either hosts or routers to improve the system's ability defend | |
| against certain types of IPv4 protocol attacks.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_source_route_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.accept_source_route</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trackers could be using source-routed packets to | |
| generate traffic that seems to be intra-net, but actually was | |
| created outside and has been redirected.</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_rp_filter_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.rp_filter</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to enforce sanity checking, also called ingress | |
| filtering or egress filtering. The point is to drop a packet if the | |
| source and destination IP addresses in the IP header do not make | |
| sense when considered in light of the physical interface on which | |
| it arrived.</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_secure_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.secure_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent hijacking of routing path by only | |
| allowing redirects from gateways known in routing | |
| table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.tcp_syncookies</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to turn on TCP SYN Cookie | |
| Protection</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_responses</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent unnecessary logging</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.accept_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.accept_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance?</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_log_martians_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.log_martians</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable so you don't Log Spoofed Packets, Source | |
| Routed Packets, Redirect Packets</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_secure_redirects_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.secure_redirects</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent hijacking of routing path by only | |
| allowing redirects from gateways known in routing | |
| table. Disable to refuse acceptance of secure ICMP redirected packages by default.</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcasts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests sent to it | |
| via broadcast/multicast</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_log_martians_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.log_martians</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable so you don't Log Spoofed Packets, Source | |
| Routed Packets, Redirect Packets</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_rp_filter_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.rp_filter</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enables source route verification</description> | |
| <value>1</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.accept_source_route</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IP source routing?</description> | |
| <value>0</value> | |
| <value selector="disabled">0</value> | |
| <value selector="enabled">1</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Ignore Bogus ICMP Error Responses</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.icmp_ignore_bogus_error_responses</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.icmp_ignore_bogus_error_responses = 1</html:pre></description> | |
| <reference href="">3.2.6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignoring bogus ICMP error responses reduces | |
| log size, although some activity would not be logged.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.secure_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.secure_redirects = 0</html:pre></description> | |
| <reference href="">3.2.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001503</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting "secure" ICMP redirects (from those gateways listed as | |
| default gateways) has few legitimate uses. It should be disabled unless it is | |
| absolutely required.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_redirects = 0</html:pre></description> | |
| <reference href="">3.2.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001503</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ICMP redirect messages are used by routers to inform hosts that a more direct | |
| route exists for a particular destination. These messages modify the host's route table | |
| and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle | |
| attack. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless | |
| absolutely required.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting Secure Redirects By Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.secure_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.secure_redirects = 0</html:pre></description> | |
| <reference href="">3.2.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting "secure" ICMP redirects (from those gateways listed as | |
| default gateways) has few legitimate uses. It should be disabled unless it is | |
| absolutely required.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.accept_source_route</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.accept_source_route = 0</html:pre></description> | |
| <reference href="">3.2.1</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Source-routed packets allow the source of the packet to suggest routers | |
| forward the packet along a different path than configured on the router, which can | |
| be used to bypass network security measures. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Accepting source-routed packets in the IPv4 protocol has few legitimate | |
| uses. It should be disabled unless it is absolutely required, such as when | |
| IPv4 forwarding is enabled and the system is legitimately functioning as | |
| a router.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Use Reverse Path Filtering by Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.rp_filter</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.rp_filter = 1</html:pre></description> | |
| <reference href="">3.2.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling reverse path filtering drops packets with source addresses | |
| that should not have been able to be received on the interface they were | |
| received on. It should not be used on systems which are routers for | |
| complicated networks, but is helpful for end hosts and routers serving small | |
| networks.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.rp_filter</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.rp_filter = 1</html:pre></description> | |
| <reference href="">3.2.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling reverse path filtering drops packets with source addresses | |
| that should not have been able to be received on the interface they were | |
| received on. It should not be used on systems which are routers for | |
| complicated networks, but is helpful for end hosts and routers serving small | |
| networks.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Use TCP Syncookies</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.tcp_syncookies</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.tcp_syncookies=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.tcp_syncookies = 1</html:pre></description> | |
| <reference href="">3.2.8</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A TCP SYN flood attack can cause a denial of service by filling a | |
| system's TCP connection table with connections in the SYN_RCVD state. | |
| Syncookies can be used to track a connection when a subsequent ACK is received, | |
| verifying the initiator is attempting a valid connection and is not a flood | |
| source. This feature is activated when a flood condition is detected, and | |
| enables the system to continue servicing valid connection requests.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.icmp_echo_ignore_broadcasts</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.icmp_echo_ignore_broadcasts = 1</html:pre></description> | |
| <reference href="">3.2.5</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Responding to broadcast (ICMP) echoes facilitates network mapping | |
| and provides a vector for amplification attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Ignoring ICMP echo requests (pings) sent to broadcast or multicast | |
| addresses makes the system slightly more difficult to enumerate on the network.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Log Martian Packets By Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.log_martians</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.log_martians = 1</html:pre></description> | |
| <reference href="">3.2.4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of "martian" packets (which have impossible addresses) | |
| as well as spoofed packets, source-routed packets, and redirects could be a | |
| sign of nefarious network activity. Logging these packets enables this activity | |
| to be detected.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_source_route</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_source_route = 0</html:pre></description> | |
| <reference href="">3.2.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Source-routed packets allow the source of the packet to suggest routers | |
| forward the packet along a different path than configured on the router, which can | |
| be used to bypass network security measures. This requirement applies only to the | |
| forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and | |
| the system is functioning as a router. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Accepting source-routed packets in the IPv4 protocol has few legitimate | |
| uses. It should be disabled unless it is absolutely required.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter to Log Martian Packets</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.log_martians</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.log_martians = 1</html:pre></description> | |
| <reference href="">3.2.4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of "martian" packets (which have impossible addresses) | |
| as well as spoofed packets, source-routed packets, and redirects could be a | |
| sign of nefarious network activity. Logging these packets enables this activity | |
| to be detected.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Kernel Parameter for Accepting ICMP Redirects By Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.accept_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.accept_redirects = 0</html:pre></description> | |
| <reference href="">3.2.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ICMP redirect messages are used by routers to inform hosts that a more direct | |
| route exists for a particular destination. These messages modify the host's route table | |
| and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle | |
| attack. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless | |
| absolutely required.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network_host_parameters"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Parameters for Hosts Only</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system is not going to be used as a router, then setting certain | |
| kernel parameters ensure that the host will not perform routing | |
| of network traffic.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects = 0</html:pre></description> | |
| <reference href="">3.1.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ICMP redirect messages are used by routers to inform hosts that a more | |
| direct route exists for a particular destination. These messages contain information | |
| from the system's route table possibly revealing portions of the network topology. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The ability to send ICMP redirects is only appropriate for systems acting as routers.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for Sending ICMP Redirects by Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.send_redirects</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.send_redirects = 0</html:pre></description> | |
| <reference href="">3.1.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ICMP redirect messages are used by routers to inform hosts that a more | |
| direct route exists for a particular destination. These messages contain information | |
| from the system's route table possibly revealing portions of the network topology. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The ability to send ICMP redirects is only appropriate for systems acting as routers.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for IP Forwarding</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward</html:code> kernel parameter, run the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo sysctl -w net.ipv4.ip_forward=0</html:pre> | |
| If this is not the system default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward = 0</html:pre></description> | |
| <reference href="">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Routing protocol daemons are typically used on routers to exchange | |
| network topology information with other routers. If this capability is used when | |
| not required, system network information may be unnecessarily transmitted across | |
| the network.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sysctl_net_ipv4_ip_forward_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Unused Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network interfaces expand the attack surface of the | |
| system. Unused interfaces are not monitored or controlled, and | |
| should be disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the system does not require network communications but still | |
| needs to use the loopback interface, remove all files of the form | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">ifcfg-<html:i>interface</html:i></html:code> except for <html:code xmlns:html="http://www.w3.org/1999/xhtml">ifcfg-lo</html:code> from | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:pre> | |
| If the system is a standalone machine with no need for network access or even | |
| communication over the loopback device, then disable this service. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">network</html:code> service can be disabled with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable network.service</html:pre></description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-wireless"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless Networking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless networking, such as 802.11 | |
| (WiFi) and Bluetooth, can present a security risk to sensitive or | |
| classified systems and networks. Wireless networking hardware is | |
| much more likely to be included in laptop or portable systems than | |
| in desktops or servers. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Removal of hardware provides the greatest assurance that the wireless | |
| capability remains disabled. Acquisition policies often include provisions to | |
| prevent the purchase of equipment that will be used in sensitive spaces and | |
| includes wireless capabilities. If it is impractical to remove the wireless | |
| hardware, and policy permits the device to enter sensitive spaces as long | |
| as wireless is disabled, efforts should instead focus on disabling wireless capability | |
| via software.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_wireless_software"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Wireless Through Software Configuration</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is impossible to remove the wireless hardware | |
| from the device in question, disable as much of it as possible | |
| through software. The following methods can disable software | |
| support for wireless networking, but note that these methods do not | |
| prevent malicious software or careless users from re-activating the | |
| devices.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Deactivate Wireless Network Interfaces</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Deactivating wireless network interfaces should prevent | |
| normal usage of the wireless capability. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Configure the system to disable all wireless network interfaces with the | |
| following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo nmcli radio wifi off</html:pre></description> | |
| <reference href="">4.3.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000424-GPOS-00188</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">041010</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The use of wireless networking can introduce many different attack vectors into | |
| the organization's network. Common attack vectors such as malicious association | |
| and ad hoc networks will allow an attacker to spoof a wireless access point | |
| (AP), allowing validated systems to connect to the malicious AP and enabling the | |
| attacker to monitor and record network traffic. These malicious APs can also | |
| serve to create a man-in-the-middle attack or be used to create a denial of | |
| service to valid network resources.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-wireless_disable_interfaces_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Bluetooth Service</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">bluetooth</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable bluetooth.service</html:pre> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo service bluetooth stop</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">bluetooth</html:code> service prevents the system from attempting | |
| connections to Bluetooth devices, which entails some security risk. | |
| Nevertheless, variation in this risk decision may be expected due to the | |
| utility of Bluetooth connectivity and its limited range.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_bluetooth_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable WiFi or Bluetooth in BIOS</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some machines that include built-in wireless support offer the | |
| ability to disable the device through the BIOS. This is hardware-specific; | |
| consult your hardware manual or explore the BIOS setup during | |
| boot.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling wireless support in the BIOS prevents easy | |
| activation of the wireless interface, generally requiring administrators | |
| to reboot the system first.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Bluetooth Kernel Modules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The kernel's module loading system can be configured to prevent | |
| loading of the Bluetooth module. Add the following to | |
| the appropriate <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code> configuration file | |
| to prevent the loading of the Bluetooth module: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">install bluetooth /bin/true</html:pre></description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.13.1.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Bluetooth functionality must be disabled, preventing the kernel | |
| from loading the kernel module provides an additional safeguard against its | |
| activation.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="kernel_module_bluetooth_disabled" system="urn:xccdf:fix:script:sh" reboot="true" complexity="low" disruption="medium" strategy="disable">if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then | |
| sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf | |
| else | |
| echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf | |
| echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="kernel_module_bluetooth_disabled" system="urn:xccdf:fix:script:ansible" reboot="true" complexity="low" disruption="medium" strategy="disable">- name: Ensure kernel module 'bluetooth' is disabled | |
| lineinfile: | |
| create: yes | |
| dest: "/etc/modprobe.d/{{item}}.conf" | |
| regexp: '{{item}}' | |
| line: "install {{item}} /bin/true" | |
| with_items: | |
| - bluetooth | |
| tags: | |
| - kernel_module_bluetooth_disabled | |
| - medium_severity | |
| - disable_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-17(8) | |
| - NIST-800-53-AC-18(a) | |
| - NIST-800-53-AC-18(d) | |
| - NIST-800-53-AC-18(3) | |
| - NIST-800-53-CM-7 | |
| - NIST-800-171-3.1.16 | |
| - CJIS-5.13.1.3 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-kernel_module_bluetooth_disabled:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-kernel_module_bluetooth_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network_ssl"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Transport Layer Security Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Support for Transport Layer Security (TLS), and its predecessor, the Secure | |
| Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">openssl</html:code>). TLS provides encrypted and authenticated network | |
| communications, and many network services include support for it. TLS or SSL | |
| can be leveraged to avoid any plaintext transmission of sensitive data. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For information on how to use OpenSSL, see | |
| <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://www.openssl.org/docs/">http://www.openssl.org/docs/</html:a></html:b>. Information on FIPS validation | |
| of OpenSSL is available at <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://www.openssl.org/docs/fips.html">http://www.openssl.org/docs/fips.html</html:a></html:b> | |
| and <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm</html:a></html:b>.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-uncommon"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Uncommon Network Protocols</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for several network protocols which are not commonly used. | |
| Although security vulnerabilities in kernel networking code are not frequently discovered, | |
| the consequences can be dramatic. Ensuring uncommon network protocols are disabled | |
| reduces the system's risk to attacks targeted at its implementation of those protocols.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Although these protocols are not commonly used, avoid disruption | |
| in your network environment by ensuring they are not needed | |
| prior to disabling them.</warning> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable TIPC Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Transparent Inter-Process Communication (TIPC) protocol | |
| is designed to provide communications between nodes in a | |
| cluster. | |
| To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">tipc</html:code> | |
| kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">install tipc /bin/true</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling TIPC protects | |
| the system against exploitation of any flaws in its implementation.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DCCP Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Datagram Congestion Control Protocol (DCCP) is a | |
| relatively new transport layer protocol, designed to support | |
| streaming media and telephony. | |
| To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">dccp</html:code> | |
| kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">install dccp /bin/true</html:pre></description> | |
| <reference href="">3.5.1</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">020101</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling DCCP protects | |
| the system against exploitation of any flaws in its implementation.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="kernel_module_dccp_disabled" system="urn:xccdf:fix:script:sh" reboot="true" complexity="low" disruption="medium" strategy="disable">if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then | |
| sed -i 's/^install dccp.*/install dccp /bin/true/g' /etc/modprobe.d/dccp.conf | |
| else | |
| echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf | |
| echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="kernel_module_dccp_disabled" system="urn:xccdf:fix:script:ansible" reboot="true" complexity="low" disruption="medium" strategy="disable">- name: Ensure kernel module 'dccp' is disabled | |
| lineinfile: | |
| create: yes | |
| dest: "/etc/modprobe.d/{{item}}.conf" | |
| regexp: '{{item}}' | |
| line: "install {{item}} /bin/true" | |
| with_items: | |
| - dccp | |
| tags: | |
| - kernel_module_dccp_disabled | |
| - medium_severity | |
| - disable_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-7 | |
| - NIST-800-171-3.4.6 | |
| - CJIS-5.10.1 | |
| - DISA-STIG-020101 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-kernel_module_dccp_disabled:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-kernel_module_dccp_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable RDS Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Reliable Datagram Sockets (RDS) protocol is a transport | |
| layer protocol designed to provide reliable high- bandwidth, | |
| low-latency communications between nodes in a cluster. | |
| To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rds</html:code> | |
| kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">install rds /bin/true</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling RDS protects | |
| the system against exploitation of any flaws in its implementation.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-ipsec"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IPSec Support</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Support for Internet Protocol Security (IPsec)</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Any Configured IPSec Tunnel Connections</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Libreswan provides an implementation of IPsec | |
| and IKE, which permits the creation of secure tunnels over | |
| untrusted networks. As such, IPsec can be used to circumvent certain | |
| network requirements such as filtering. Verify that if any IPsec connection | |
| (<html:code xmlns:html="http://www.w3.org/1999/xhtml">conn</html:code>) configured in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ipsec.conf</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ipsec.d</html:code> | |
| exists is an approved organizational connection.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000336</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IP tunneling mechanisms can be used to bypass network filtering.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-libreswan_approved_tunnels_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_package_libreswan_installed" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install libreswan Package</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Libreswan package provides an implementation of IPsec | |
| and IKE, which permits the creation of secure tunnels over | |
| untrusted networks. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">libreswan</html:code> package can be installed with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo dnf install libreswan</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001130</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001131</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-9</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-4.1</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Providing the ability for remote users or systems | |
| to initiate a secure VPN connection protects information when it is | |
| transmitted over a wide area network.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_libreswan_installed" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_function_package_install" use="legacy"/> | |
| package_install libreswan | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_libreswan_installed" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: Ensure libreswan is installed | |
| package: | |
| name: "{{item}}" | |
| state: present | |
| with_items: | |
| - libreswan | |
| tags: | |
| - package_libreswan_installed | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-17 | |
| - NIST-800-53-MA-4 | |
| - NIST-800-53-SC-9 | |
| - PCI-DSS-Req-4.1 | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_libreswan_installed" system="urn:xccdf:fix:script:puppet" complexity="low" disruption="low" strategy="enable">include install_libreswan | |
| class install_libreswan { | |
| package { 'libreswan': | |
| ensure => 'installed', | |
| } | |
| } | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="package_libreswan_installed" system="urn:redhat:anaconda:pre" complexity="low" disruption="low" strategy="enable"> | |
| package --add=libreswan | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-package_libreswan_installed:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-package_libreswan_installed_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_network-firewalld"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">firewalld</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The dynamic firewall daemon <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code> provides a | |
| dynamically managed firewall with support for network “zones” to assign | |
| a level of trust to a network and its associated connections and interfaces. | |
| It has support for IPv4 and IPv6 firewall settings. It supports Ethernet | |
| bridges and has a separation of runtime and permanent configuration options. | |
| It also has an interface for services or applications to add firewall rules | |
| directly. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| A graphical configuration tool, <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewall-config</html:code>, is used to configure | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code>, which in turn uses <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> tool to communicate | |
| with <html:code xmlns:html="http://www.w3.org/1999/xhtml">Netfilter</html:code> in the kernel which implements packet filtering. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The firewall service provided by <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code> is dynamic rather than | |
| static because changes to the configuration can be made at anytime and are | |
| immediately implemented. There is no need to save or apply the changes. No | |
| unintended disruption of existing network connections occurs as no part of | |
| the firewall has to be reloaded.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_ruleset_modifications"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Strengthen the Default Ruleset</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default rules can be strengthened. The system | |
| scripts that activate the firewall rules expect them to be defined | |
| in configuration files under the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/services</html:code> | |
| and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/zones</html:code> directories. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The following recommendations describe how to strengthen the | |
| default ruleset configuration file. An alternative to editing this | |
| configuration file is to create a shell script that makes calls to | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewall-cmd</html:code> program to load in rules under the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/services</html:code> | |
| and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/zones</html:code> directories. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Instructions apply to both unless otherwise noted. Language and address | |
| conventions for regular firewalld rules are used throughout this section.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">The program <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewall-config</html:code> | |
| allows additional services to penetrate the default firewall rules | |
| and automatically adjusts the <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code> ruleset(s).</warning> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Default firewalld Zone for Incoming Packets</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default zone to <html:code xmlns:html="http://www.w3.org/1999/xhtml">drop</html:code> for | |
| the built-in default zone which processes incoming IPv4 and IPv6 packets, | |
| modify the following line in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/firewalld.conf</html:code> to be: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">DefaultZone=drop</html:pre></description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.6</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code> the default zone is applied only after all | |
| the applicable rules in the table are examined for a match. Setting the | |
| default zone to <html:code xmlns:html="http://www.w3.org/1999/xhtml">drop</html:code> implements proper design for a firewall, i.e. | |
| any packets which are not explicitly permitted should not be | |
| accepted.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-set_firewalld_default_zone:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_firewalld_default_zone_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_firewalld_activation"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Inspect and Activate Default firewalld Rules</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Firewalls can be used to separate networks into different zones | |
| based on the level of trust the user has decided to place on the devices and | |
| traffic within that network. <html:code xmlns:html="http://www.w3.org/1999/xhtml">NetworkManager</html:code> informs firewalld to which | |
| zone an interface belongs. An interface's assigned zone can be changed by | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">NetworkManager</html:code> or via the <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewall-config</html:code> tool. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The zone settings in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/firewalld/</html:code> are a range of preset settings | |
| which can be quickly applied to a network interface. These are the zones | |
| provided by firewalld sorted according to the default trust level of the | |
| zones from untrusted to trusted: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:code>drop</html:code><html:br/><html:p>Any incoming network packets are dropped, there is no | |
| reply. Only outgoing network connections are possible.</html:p></html:li><html:li><html:code>block</html:code><html:br/><html:p>Any incoming network connections are rejected with an | |
| <html:code>icmp-host-prohibited</html:code> message for IPv4 and <html:code>icmp6-adm-prohibited</html:code> | |
| for IPv6. Only network connections initiated from within the system are | |
| possible.</html:p></html:li><html:li><html:code>public</html:code><html:br/><html:p>For use in public areas. You do not trust the other | |
| computers on the network to not harm your computer. Only selected incoming | |
| connections are accepted.</html:p></html:li><html:li><html:code>external</html:code><html:br/><html:p>For use on external networks with masquerading enabled | |
| especially for routers. You do not trust the other computers on the network to | |
| not harm your computer. Only selected incoming connections are accepted.</html:p></html:li><html:li><html:code>dmz</html:code><html:br/><html:p>For computers in your demilitarized zone that are | |
| publicly-accessible with limited access to your internal network. Only selected | |
| incoming connections are accepted.</html:p></html:li><html:li><html:code>work</html:code><html:br/><html:p>For use in work areas. You mostly trust the other computers | |
| on networks to not harm your computer. Only selected incoming connections are | |
| accepted.</html:p></html:li><html:li><html:code>home</html:code><html:br/><html:p>For use in home areas. You mostly trust the other computers | |
| on networks to not harm your computer. Only selected incoming connections are | |
| accepted.</html:p></html:li><html:li><html:code>internal</html:code><html:br/><html:p>For use on internal networks. You mostly trust the | |
| other computers on the networks to not harm your computer. Only selected | |
| incoming connections are accepted.</html:p></html:li><html:li><html:code>trusted</html:code><html:br/><html:p>All network connections are accepted.</html:p></html:li></html:ul> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| It is possible to designate one of these zones to be the default zone. When | |
| interface connections are added to <html:code xmlns:html="http://www.w3.org/1999/xhtml">NetworkManager</html:code>, they are assigned | |
| to the default zone. On installation, the default zone in firewalld is set to | |
| be the public zone. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To find out all the settings of a zone, for example the <html:code xmlns:html="http://www.w3.org/1999/xhtml">public zone,</html:code> | |
| enter the following command as root: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># firewall-cmd --zone=public --list-all</html:pre> | |
| Example output of this command might look like the following: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| # firewall-cmd --zone=public --list-all | |
| public | |
| interfaces: | |
| services: mdns dhcpv6-client ssh | |
| ports: | |
| forward-ports: | |
| icmp-blocks: source-quench | |
| </html:pre> | |
| To view the network zones currently active, enter the following command as root: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># firewall-cmd --get-service</html:pre> | |
| The following listing displays the result of this command on common Red Hat | |
| Enterprise Linux 7 Server system: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| # firewall-cmd --get-service | |
| amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp | |
| high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd | |
| ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn | |
| pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind | |
| samba samba-client smtp ssh telnet tftp tftp-client transmission-client | |
| vnc-server wbem-https | |
| </html:pre> | |
| Finally to view the network zones that will be active after the next firewalld | |
| service reload, enter the following command as root: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># firewall-cmd --get-service --permanent</html:pre></description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify firewalld Enabled</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The <html:code xmlns:html="http://www.w3.org/1999/xhtml">firewalld</html:code> service can be enabled with the following command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl enable firewalld.service</html:pre></description> | |
| <reference href="">4.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Access control methods provide the ability to enhance system security posture | |
| by restricting services and known good IP addresses and address ranges. This | |
| prevents connections from unknown hosts and protocols.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="service_firewalld_enabled" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| SYSTEMCTL_EXEC='/usr/bin/systemctl' | |
| "$SYSTEMCTL_EXEC" start 'firewalld.service' | |
| "$SYSTEMCTL_EXEC" enable 'firewalld.service' | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="service_firewalld_enabled" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: Enable service firewalld | |
| service: | |
| name: "{{item}}" | |
| enabled: "yes" | |
| state: "started" | |
| with_items: | |
| - firewalld | |
| tags: | |
| - service_firewalld_enabled | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-171-3.1.3 | |
| - NIST-800-171-3.4.7 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-service_firewalld_enabled:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_firewalld_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_disable_zeroconf" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Zeroconf Networking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Zeroconf networking allows the system to assign itself an IP | |
| address and engage in IP communication without a statically-assigned address or | |
| even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not | |
| recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 | |
| subnet, add or correct the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">NOZEROCONF=yes</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Zeroconf addresses are in the network 169.254.0.0. The networking | |
| scripts add entries to the system's routing table for these addresses. Zeroconf | |
| address assignment commonly occurs when the system is configured to use DHCP | |
| but fails to receive an address assignment from the DHCP server.</rationale> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure System is Not Acting as a Network Sniffer</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system should not be acting as a network sniffer, which can | |
| capture all traffic on the network to which it is connected. Run the following | |
| to determine if any interface is running in promiscuous mode: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ ip link | grep PROMISC</html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2).1(i)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network interfaces in promiscuous mode allow for the capture of all network traffic | |
| visible to the system. If unauthorized individuals can access these applications, it | |
| may allow them to collect information such as logon IDs, passwords, and key exchanges | |
| between systems. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the system is being used to perform a network troubleshooting function, the use of these | |
| tools must be documented with the Information Systems Security Manager (ISSM) and restricted | |
| to only authorized personnel.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-network_sniffer_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_entropy"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Random-Number Entropy Pool</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The I/O operations of the Linux kernel block layer due to their inherently | |
| unpredictable execution times have been traditionally considered as a reliable | |
| source to contribute to random-number entropy pool of the Linux kernel. This | |
| has changed with introduction of solid-state storage devices (SSDs) though.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">For each solid-state drive on the system, run: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> # echo 0 > /sys/block/DRIVE/queue/add_random</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In contrast to traditional electromechanical magnetic disks, containing | |
| spinning disks and / or movable read / write heads, the solid-state storage | |
| devices (SSDs) do not contain moving / mechanical components. Therefore the | |
| I/O operation completion times are much more predictable for them.</rationale> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Account and Access Control</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In traditional Unix security, if an attacker gains | |
| shell access to a certain login account, they can perform any action | |
| or access any file to which that account has access. Therefore, | |
| making it more difficult for unauthorized people to gain shell | |
| access to accounts, particularly to privileged accounts, is a | |
| necessary part of securing a system. This section introduces | |
| mechanisms for restricting access to accounts under | |
| Fedora.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts-pam"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Accounts by Configuring PAM</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">PAM, or Pluggable Authentication Modules, is a system | |
| which implements modular authentication for Linux programs. PAM provides | |
| a flexible and configurable architecture for authentication, and it should be configured | |
| to minimize exposure to unnecessary risk. This section contains | |
| guidance on how to accomplish that. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| PAM is implemented as a set of shared objects which are | |
| loaded and invoked whenever an application wishes to authenticate a | |
| user. Typically, the application must be running as root in order | |
| to take advantage of PAM, because PAM's modules often need to be able | |
| to access sensitive stores of account information, such as /etc/shadow. | |
| Traditional privileged network listeners | |
| (e.g. sshd) or SUID programs (e.g. sudo) already meet this | |
| requirement. An SUID root application, userhelper, is provided so | |
| that programs which are not SUID or privileged themselves can still | |
| take advantage of PAM. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| PAM looks in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d</html:code> for | |
| application-specific configuration information. For instance, if | |
| the program login attempts to authenticate a user, then PAM's | |
| libraries follow the instructions in the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/login</html:code> | |
| to determine what actions should be taken. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| One very important file in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d</html:code> is | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>. This file, which is included by | |
| many other PAM configuration files, defines 'default' system authentication | |
| measures. Modifying this file is a good way to make far-reaching | |
| authentication changes, for instance when implementing a | |
| centralized authentication service.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="functionality">Be careful when making changes to PAM's configuration files. | |
| The syntax for these files is complex, and modifications can | |
| have unexpected consequences. The default configurations shipped | |
| with applications should be sufficient for most users.</warning> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="functionality">Running <html:code xmlns:html="http://www.w3.org/1999/xhtml">authconfig</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-authentication</html:code> | |
| will re-write the PAM configuration files, destroying any manually | |
| made changes and replacing them with a series of system defaults. | |
| One reference to the configuration file syntax can be found at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html">http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html</html:a>.</warning> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">remember</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The last n passwords for each user are saved in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/opasswd</html:code> in order to force password change history and | |
| keep the user from alternating between the same password too | |
| frequently.</description> | |
| <value selector="0">0</value> | |
| <value selector="10">10</value> | |
| <value selector="24">24</value> | |
| <value selector="4">4</value> | |
| <value selector="5">5</value> | |
| <value>5</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_password_quality"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Quality Requirements</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> PAM module provides strength | |
| checking for passwords. It performs a number of checks, such as | |
| making sure passwords are not similar to dictionary words, are of | |
| at least a certain length, are not the previous password reversed, | |
| and are not simply a change of case from the previous password. It | |
| can also require passwords to be in certain character classes. The | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> module is the preferred way of configuring | |
| password requirements. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> PAM module can also provide strength | |
| checking for passwords as the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> module. | |
| It performs a number of checks, such as making sure passwords are | |
| not similar to dictionary words, are of at least a certain length, | |
| are not the previous password reversed, and are not simply a change | |
| of case from the previous password. It can also require passwords to | |
| be in certain character classes. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The man pages <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality(8)</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib(8)</html:code> | |
| provide information on the capabilities and configuration of | |
| each.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_password_quality_pamcracklib"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Quality Requirements, if using | |
| pam_cracklib</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> PAM module can be configured to meet | |
| requirements for a variety of policies. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For example, to configure <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> to require at least one uppercase | |
| character, lowercase character, digit, and other (special) | |
| character, locate the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">password requisite pam_cracklib.so try_first_pass retry=3</html:pre> | |
| and then alter it to read: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</html:pre> | |
| If no such line exists, add one as the first line of the password section in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>. | |
| The arguments can be modified to ensure compliance with | |
| your organization's security policy. Discussion of each parameter follows.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that the password quality requirements are not enforced for the | |
| root account for some reason.</warning> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Length</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">minlen</html:code> parameter controls requirements for | |
| minimum characters required in a password. Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">minlen=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></html:code> | |
| after pam_pwquality to set minimum password length requirements.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Password length is one factor of several that helps to determine | |
| strength and how long it takes to crack a password. Use of more characters in | |
| a password helps to exponentially increase the time and/or resources | |
| required to compromise the password.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_minlen_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit=</html:code> parameter controls requirements for | |
| usage of uppercase letters in a password. When set to a negative number, any password will be required to | |
| contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional | |
| length credit for each uppercase character. | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit=-1</html:code> after pam_cracklib.so to require use of an upper case character in passwords.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum number of uppercase characters makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_ucredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_maxrepeat" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password to Maximum of Three Consecutive Repeating Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxrepeat</html:code> parameter controls requirements for | |
| consecutive repeating characters. When set to a positive number, it will reject passwords | |
| which contain more than that number of consecutive characters. Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">maxrepeat=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/></html:code> | |
| after pam_cracklib.so to prevent a run of (<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/> + 1) or more identical characters:<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">password required pam_cracklib.so maxrepeat=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/></html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_maxrepeat_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Retry Prompts Permitted Per-Session</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the number of retry prompts that are permitted per-session: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Edit the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib.so</html:code> statement in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> to | |
| show <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">retry=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/></html:code>, or a lower value if site policy is more restrictive. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The DoD requirement is a maximum of 3 prompts per session.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the password retry prompts that are permitted on a per-session basis to a low value | |
| requires some software, such as SSH, to re-connect. This can slow down and | |
| draw additional attention to some types of password-guessing attacks. Note that this | |
| is different from account lockout, which is provided by the pam_faillock module.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_retry_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit=</html:code> parameter controls requirements for | |
| usage of lowercase letters in a password. When set to a negative number, any password will be required to | |
| contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional | |
| length credit for each lowercase character. | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit=-1</html:code> after pam_cracklib.so to require use of a lowercase character in passwords.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum number of lowercase characters makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_lcredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Different Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">difok</html:code> parameter controls requirements for | |
| usage of different characters during a password change. | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">difok=<html:i><sub idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" use="legacy"/></html:i></html:code> after pam_cracklib.so to require differing | |
| characters when changing passwords. The DoD requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">4</html:code>.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum number of different characters during password changes ensures that | |
| newly changed passwords should not resemble previously compromised ones. | |
| Note that passwords which are changed on compromised systems will still be compromised, however.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_difok_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Special Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ocredit=</html:code> parameter controls requirements for | |
| usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to | |
| contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional | |
| length credit for each special character. | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">ocredit=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" use="legacy"/></html:code> after pam_cracklib.so to require use of a special character in passwords.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum number of special characters makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_ocredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Digit Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit</html:code> parameter controls requirements for | |
| usage of digits in a password. When set to a negative number, any password will be required to | |
| contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional | |
| length credit for each digit. | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit=-1</html:code> after pam_cracklib.so to require use of a digit in passwords.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring digits makes password guessing attacks more difficult by ensuring a larger | |
| search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_dcredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minclass" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Different Categories</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">minclass</html:code> parameter controls requirements for | |
| usage of different character classes, or types, of character that must exist in a password | |
| before it is considered valid. For example, setting this value to three (3) requires that | |
| any password must have characters from at least three different categories in order to be | |
| approved. The default value is zero (0), meaning there are no required classes. There are | |
| four categories available: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| * Upper-case characters | |
| * Lower-case characters | |
| * Digits | |
| * Special characters (for example, punctuation) | |
| </html:pre> | |
| Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">minclass=<html:i><sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" use="legacy"/></html:i></html:code> after pam_cracklib.so entry into the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> file in order to require <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" use="legacy"/> differing categories of | |
| characters when changing passwords. | |
| For example to require at least three character classes to be used in password, use <html:code xmlns:html="http://www.w3.org/1999/xhtml">minclass=3</html:code>.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum number of character categories makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-cracklib_accounts_password_pam_minclass_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_password_quality_pwquality"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Quality Requirements with pam_pwquality</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> PAM module can be configured to meet | |
| requirements for a variety of policies. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For example, to configure <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> to require at least one uppercase | |
| character, lowercase character, digit, and other (special) | |
| character, make sure that <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code> exists in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</html:pre> | |
| If no such line exists, add one as the first line of the password section in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>. | |
| Next, modify the settings in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to match the following: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">difok = 4 | |
| minlen = 14 | |
| dcredit = -1 | |
| ucredit = -1 | |
| lcredit = -1 | |
| ocredit = -1 | |
| maxrepeat = 3</html:pre> | |
| The arguments can be modified to ensure compliance with | |
| your organization's security policy. Discussion of each parameter follows.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_deny</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of failed login attempts before account lockout</description> | |
| <value selector="10">10</value> | |
| <value selector="3">3</value> | |
| <value selector="5">5</value> | |
| <value selector="6">6</value> | |
| <value>3</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ucredit</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of upper case in password</description> | |
| <value selector="0">0</value> | |
| <value selector="1">-1</value> | |
| <value selector="2">-2</value> | |
| <value>-1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">maxclassrepeat</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class</description> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value>4</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_difok" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">difok</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters not present in old | |
| password</description> | |
| <value selector="15">15</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value selector="5">5</value> | |
| <value selector="6">6</value> | |
| <value selector="7">7</value> | |
| <value selector="8">8</value> | |
| <value>8</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_minclass" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minclass</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of categories of characters that must exist in a password</description> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value>3</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dcredit</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of digits in password</description> | |
| <value selector="0">0</value> | |
| <value selector="1">-1</value> | |
| <value selector="2">-2</value> | |
| <value>-1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">lcredit</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of lower case in password</description> | |
| <value selector="0">0</value> | |
| <value selector="1">-1</value> | |
| <value selector="2">-2</value> | |
| <value>-1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_interval</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Interval for counting failed login attempts before account lockout</description> | |
| <value selector="100000000">100000000</value> | |
| <value selector="1800">1800</value> | |
| <value selector="3600">3600</value> | |
| <value selector="86400">86400</value> | |
| <value selector="900">900</value> | |
| <value>900</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_retry" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">retry</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of retry attempts before erroring out</description> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value selector="5">5</value> | |
| <value>3</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_minlen" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minlen</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters in password</description> | |
| <value selector="10">10</value> | |
| <value selector="12">12</value> | |
| <value selector="14">14</value> | |
| <value selector="15">15</value> | |
| <value selector="6">6</value> | |
| <value selector="7">7</value> | |
| <value selector="8">8</value> | |
| <value>15</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">maxrepeat</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum Number of Consecutive Repeating Characters in a Password</description> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value>3</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ocredit</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of other (special characters) in | |
| password</description> | |
| <value selector="0">0</value> | |
| <value selector="1">-1</value> | |
| <value selector="2">-2</value> | |
| <value>-1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_unlock_time</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Seconds before automatic unlocking or permanently locking after excessive failed logins</description> | |
| <value selector="1800">1800</value> | |
| <value selector="3600">3600</value> | |
| <value selector="600">600</value> | |
| <value selector="604800">604800</value> | |
| <value selector="86400">86400</value> | |
| <value selector="900">900</value> | |
| <value>never</value> | |
| <value selector="never">never</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Digit Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit</html:code> parameter controls requirements for | |
| usage of digits in a password. When set to a negative number, any password will be required to | |
| contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional | |
| length credit for each digit. Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit</html:code> setting in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to require the use of a digit in passwords.</description> | |
| <reference href="">6.3.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000194</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">194</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000071-GPOS-00039</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required | |
| to compromise the password. Password complexity, or strength, is a measure of | |
| the effectiveness of a password in resisting attempts at guessing and brute-force | |
| attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes | |
| to crack a password. The more complex the password, the greater the number of | |
| possble combinations that need to be tested before the password is compromised. | |
| Requiring digits makes password guessing attacks more difficult by ensuring a larger | |
| search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_dcredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit=</html:code> parameter controls requirements for | |
| usage of uppercase letters in a password. When set to a negative number, any password will be required to | |
| contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional | |
| length credit for each uppercase character. Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit</html:code> setting in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to require the use of an uppercase character in passwords.</description> | |
| <reference href="">6.3.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000192</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000069-GPOS-00037</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources reuiqred to compromise the password. | |
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts | |
| at guessing and brute-force attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes to crack a password. The more | |
| complex the password, the greater the number of possible combinations that need to be tested before | |
| the password is compromised.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_ucredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Length</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">minlen</html:code> parameter controls requirements for | |
| minimum characters required in a password. Add <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">minlen=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></html:code> | |
| after pam_pwquality to set minimum password length requirements.</description> | |
| <reference href="">6.3.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000205</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000078-GPOS-00046</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The shorter the password, the lower the number of possible combinations | |
| that need to be tested before the password is compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity, or strength, is a measure of the effectiveness of a | |
| password in resisting attempts at guessing and brute-force attacks. | |
| Password length is one factor of several that helps to determine strength | |
| and how long it takes to crack a password. Use of more characters in a password | |
| helps to exponentially increase the time and/or resources required to | |
| compromose the password.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_minlen_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Different Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">difok</html:code> parameter sets the number of characters | |
| in a password that must not be present in and old password during a password change. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">difok</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> | |
| to equal <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" use="legacy"/> to require differing characters | |
| when changing passwords.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources | |
| required to compromise the password. Password complexity, or strength, | |
| is a measure of the effectiveness of a password in resisting attempts | |
| at guessing and brute–force attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long | |
| it takes to crack a password. The more complex the password, the | |
| greater the number of possible combinations that need to be tested | |
| before the password is compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Requiring a minimum number of different characters during password changes ensures that | |
| newly changed passwords should not resemble previously compromised ones. | |
| Note that passwords which are changed on compromised systems will still be compromised, however.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_difok_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Special Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ocredit=</html:code> parameter controls requirements for | |
| usage of special (or "other") characters in a password. When set to a negative number, any password will be | |
| required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 | |
| additional length credit for each special character. Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ocredit</html:code> setting in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to equal <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" use="legacy"/> to require use of a special character in passwords.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001619</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000266-GPOS-00101</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required | |
| to compromise the password. Password complexity, or strength, is a measure of | |
| the effectiveness of a password in resisting attempts at guessing and brute-force | |
| attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes | |
| to crack a password. The more complex the password, the greater the number of | |
| possble combinations that need to be tested before the password is compromised. | |
| Requiring a minimum number of special characters makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_ocredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Maximum Consecutive Repeating Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxrepeat</html:code> parameter controls requirements for | |
| consecutive repeating characters. When set to a positive number, it will reject passwords | |
| which contain more than that number of consecutive characters. Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxrepeat</html:code> setting | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to equal <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/> to prevent a | |
| run of (<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/> + 1) or more identical characters.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required to compromise the password. | |
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at | |
| guessing and brute-force attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes to crack a password. The more | |
| complex the password, the greater the number of possible combinations that need to be tested before the | |
| password is compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_maxrepeat_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Retry Prompts Permitted Per-Session</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the number of retry prompts that are permitted per-session: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Edit the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality.so</html:code> statement in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> to | |
| show <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">retry=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/></html:code>, or a lower value if site policy is more restrictive. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The DoD requirement is a maximum of 3 prompts per session.</description> | |
| <reference href="">6.3.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00225</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the password retry prompts that are permitted on a per-session basis to a low value | |
| requires some software, such as SSH, to re-connect. This can slow down and | |
| draw additional attention to some types of password-guessing attacks. Note that this | |
| is different from account lockout, which is provided by the pam_faillock module.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_pam_retry" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium" strategy="configure">- name: XCCDF Value var_password_pam_retry # promote to variable | |
| set_fact: | |
| var_password_pam_retry: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" | |
| replace: | |
| dest: /etc/pam.d/system-auth | |
| follow: yes | |
| regexp: '(^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$)' | |
| replace: '\g<1>{{ var_password_pam_retry }}\g<3>' | |
| tags: | |
| - accounts_password_pam_retry | |
| - unknown_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-53-IA-5(c) | |
| - CJIS-5.5.3 | |
| - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (add)" | |
| replace: | |
| dest: /etc/pam.d/system-auth | |
| follow: yes | |
| regexp: '^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$' | |
| replace: '\g<0> retry={{ var_password_pam_retry }}' | |
| tags: | |
| - accounts_password_pam_retry | |
| - unknown_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-53-IA-5(c) | |
| - CJIS-5.5.3 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_password_pam_retry:var:1" value-id="xccdf_org.ssgproject.content_value_var_password_pam_retry"/> | |
| <check-content-ref name="oval:ssg-accounts_password_pam_retry:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_retry_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Different Categories</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">minclass</html:code> parameter controls | |
| requirements for usage of different character classes, or types, of character | |
| that must exist in a password before it is considered valid. For example, | |
| setting this value to three (3) requires that any password must have characters | |
| from at least three different categories in order to be approved. The default | |
| value is zero (0), meaning there are no required classes. There are four | |
| categories available: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| * Upper-case characters | |
| * Lower-case characters | |
| * Digits | |
| * Special characters (for example, punctuation) | |
| </html:pre> | |
| Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">minclass</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> entry to require <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" use="legacy"/> | |
| differing categories of characters when changing passwords.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required to compromise the password. | |
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts | |
| at guessing and brute-force attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes to crack a password. The | |
| more complex the password, the greater the number of possible combinations that need to be tested before | |
| the password is compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Requiring a minimum number of character categories makes password guessing attacks more difficult | |
| by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_minclass_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit</html:code> parameter controls requirements for | |
| usage of lowercase letters in a password. When set to a negative number, any password will be required to | |
| contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional | |
| length credit for each lowercase character. Modify the <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit</html:code> setting in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to require the use of a lowercase character in passwords.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000193</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000070-GPOS-00038</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required | |
| to compromise the password. Password complexity, or strength, is a measure of | |
| the effectiveness of a password in resisting attempts at guessing and brute-force | |
| attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes | |
| to crack a password. The more complex the password, the greater the number of | |
| possble combinations that need to be tested before the password is compromised. | |
| Requiring a minimum number of lowercase characters makes password guessing attacks | |
| more difficult by ensuring a larger search space.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_lcredit_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_pwquality module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxclassrepeat</html:code> parameter controls requirements for | |
| consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords | |
| which contain more than that number of consecutive characters from the same character class. Modify the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxclassrepeat</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</html:code> to equal <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" use="legacy"/> | |
| to prevent a run of (<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" use="legacy"/> + 1) or more identical characters.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use of a complex password helps to increase the time and resources required to comrpomise the password. | |
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting | |
| attempts at guessing and brute-force attacks. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Password complexity is one factor of several that determines how long it takes to crack a password. The | |
| more complex a password, the greater the number of possible combinations that need to be tested before the | |
| password is compromised.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Hashing Algorithm</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's default algorithm for storing password hashes in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> is SHA-512. This can be configured in several | |
| locations.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Hashing Algorithm in /etc/libuser.conf</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/libuser.conf</html:code>, add or correct the following line in its | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">[defaults]</html:code> section to ensure the system will use the SHA-512 | |
| algorithm for password hashing: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">crypt_style = sha512</html:pre></description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Passwords need to be protected at all times, and encryption is the standard method for protecting | |
| passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily | |
| compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they | |
| are kepy in plain text. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This setting ensures user and group account administration utilities are configured to store only | |
| encrypted representations of passwords. Additionally, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">crypt_style</html:code> configuration option | |
| ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="set_password_hashing_algorithm_libuserconf" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Set Password Hashing Algorithm in /etc/libuser.conf | |
| lineinfile: | |
| dest: /etc/libuser.conf | |
| insertafter: "^.default]" | |
| regexp: ^#?crypt_style | |
| line: crypt_style = sha512 | |
| state: present | |
| tags: | |
| - set_password_hashing_algorithm_libuserconf | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-5(b) | |
| - NIST-800-53-IA-5(c) | |
| - NIST-800-53-IA-5(1)(c) | |
| - NIST-800-53-IA-7 | |
| - NIST-800-171-3.13.11 | |
| - PCI-DSS-Req-8.2.1 | |
| - CJIS-5.6.2.2 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_password_hashing_algorithm_libuserconf_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Hashing Algorithm in /etc/login.defs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code>, add or correct the following line to ensure | |
| the system will use SHA-512 as the hashing algorithm: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</html:pre></description> | |
| <reference href="">6.3.1</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. | |
| If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords | |
| that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Using a stronger hashing algorithm makes password cracking attacks more difficult.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="set_password_hashing_algorithm_logindefs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: Set Password Hashing Algorithm in /etc/login.defs | |
| lineinfile: | |
| dest: /etc/login.defs | |
| regexp: ^#?ENCRYPT_METHOD | |
| line: ENCRYPT_METHOD SHA512 | |
| state: present | |
| tags: | |
| - set_password_hashing_algorithm_logindefs | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-5(b) | |
| - NIST-800-53-IA-5(c) | |
| - NIST-800-53-IA-5(1)(c) | |
| - NIST-800-53-IA-7 | |
| - NIST-800-171-3.13.11 | |
| - PCI-DSS-Req-8.2.1 | |
| - CJIS-5.6.2.2 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-set_password_hashing_algorithm_logindefs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set PAM's Password Hashing Algorithm</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The PAM system service can be configured to only store encrypted representations of passwords. | |
| In <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">password</html:code> section of the file controls | |
| which PAM modules execute during a password change. Set the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix.so</html:code> | |
| module in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">password</html:code> section to include the argument <html:code xmlns:html="http://www.w3.org/1999/xhtml">sha512</html:code>, as shown below: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so sha512 <html:i>other arguments...</html:i></html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This will help ensure when local users change their passwords, hashes for the new | |
| passwords will be generated using the SHA-512 algorithm. This is the default.</description> | |
| <reference href="">6.3.1</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Passwords need to be protected at all times, and encryption is the standard method for protecting | |
| passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily | |
| compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they | |
| are kepy in plain text. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This setting ensures user and group account administration utilities are configured to store only | |
| encrypted representations of passwords. Additionally, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">crypt_style</html:code> configuration option | |
| ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-set_password_hashing_algorithm_systemauth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_locking_out_password_attempts"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Lockouts for Failed Password Attempts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_faillock</html:code> PAM module provides the capability to | |
| lock out user accounts after a number of failed login attempts. Its | |
| documentation is available in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/share/doc/pam-VERSION/txts/README.pam_faillock</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Locking out user accounts presents the | |
| risk of a denial-of-service attack. The lockout policy | |
| must weigh whether the risk of such a | |
| denial-of-service attack outweighs the benefits of thwarting | |
| password guessing attacks.</warning> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Deny For Failed Password Attempts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to lock out accounts after a number of incorrect login | |
| attempts using <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_faillock.so</html:code>, modify the content of both | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/password-auth</html:code> as follows: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><html:li> add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth required pam_faillock.so preauth silent deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li> add the following line immediately <html:code>after</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li> add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>ACCOUNT</html:code> section: | |
| <html:pre>account required pam_faillock.so</html:pre></html:li></html:ul></description> | |
| <reference href="">5.3.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Locking out user accounts after a number of incorrect attempts | |
| prevents direct password guessing attacks.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_passwords_pam_faillock_deny" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable | |
| set_fact: | |
| var_accounts_passwords_pam_faillock_deny: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> | |
| tags: | |
| - always | |
| - name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable | |
| set_fact: | |
| var_accounts_passwords_pam_faillock_unlock_time: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> | |
| tags: | |
| - always | |
| - name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable | |
| set_fact: | |
| var_accounts_passwords_pam_faillock_fail_interval: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/> | |
| tags: | |
| - always | |
| - name: set auth pam_faillock before pam_unix.so | |
| pamd: | |
| name: system-auth | |
| type: auth | |
| control: sufficient | |
| module_path: pam_unix.so | |
| new_type: auth | |
| new_control: required | |
| new_module_path: pam_faillock.so | |
| module_arguments: 'preauth | |
| silent | |
| deny: {{ var_accounts_passwords_pam_faillock_deny }} | |
| unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} | |
| fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' | |
| state: before | |
| tags: | |
| - accounts_passwords_pam_faillock_deny | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-7(b) | |
| - NIST-800-171-3.1.8 | |
| - PCI-DSS-Req-8.1.6 | |
| - CJIS-5.5.3 | |
| - name: set auth pam_faillock after pam_unix.so | |
| pamd: | |
| name: system-auth | |
| type: auth | |
| control: sufficient | |
| module_path: pam_unix.so | |
| new_type: auth | |
| new_control: '[default=die]' | |
| new_module_path: pam_faillock.so | |
| module_arguments: 'preauth | |
| silent | |
| deny: {{ var_accounts_passwords_pam_faillock_deny }} | |
| unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} | |
| fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' | |
| state: after | |
| tags: | |
| - accounts_passwords_pam_faillock_deny | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-7(b) | |
| - NIST-800-171-3.1.8 | |
| - PCI-DSS-Req-8.1.6 | |
| - CJIS-5.5.3 | |
| - name: set account pam_faillock before pam_unix.so | |
| pamd: | |
| name: system-auth | |
| type: account | |
| control: required | |
| module_path: pam_unix.so | |
| new_type: account | |
| new_control: required | |
| new_module_path: pam_faillock.so | |
| state: before | |
| tags: | |
| - accounts_passwords_pam_faillock_deny | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-7(b) | |
| - NIST-800-171-3.1.8 | |
| - PCI-DSS-Req-8.1.6 | |
| - CJIS-5.5.3 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_passwords_pam_faillock_deny:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny"/> | |
| <check-content-ref name="oval:ssg-accounts_passwords_pam_faillock_deny:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_passwords_pam_faillock_deny_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit Password Reuse</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do not allow users to reuse recent passwords. This can be | |
| accomplished by using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">remember</html:code> option for the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix</html:code> | |
| or <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwhistory</html:code> PAM modules. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| In the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>, append <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">remember=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></html:code> | |
| to the line which refers to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix.so</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwhistory.so</html:code>module, as shown below: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><html:li>for the <html:code>pam_unix.so</html:code> case: | |
| <html:pre>password sufficient pam_unix.so <html:i>...existing_options...</html:i> remember=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></html:pre> | |
| </html:li><html:li>for the <html:code>pam_pwhistory.so</html:code> case: | |
| <html:pre>password requisite pam_pwhistory.so <html:i>...existing_options...</html:i> remember=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></html:pre> | |
| </html:li></html:ul> | |
| The DoD STIG requirement is 5 passwords.</description> | |
| <reference href="">5.3.3</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000200</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000077-GPOS-00045</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_pam_unix_remember" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium" strategy="configure">- name: XCCDF Value var_password_pam_unix_remember # promote to variable | |
| set_fact: | |
| var_password_pam_unix_remember: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Do not allow users to reuse recent passwords - system-auth (change)" | |
| replace: | |
| dest: /etc/pam.d/system-auth | |
| follow: yes | |
| regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$' | |
| replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>' | |
| tags: | |
| - accounts_password_pam_unix_remember | |
| - medium_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-53-IA-5(1)(e) | |
| - NIST-800-171-3.5.8 | |
| - PCI-DSS-Req-8.2.5 | |
| - CJIS-5.6.2.1.1 | |
| - name: "Do not allow users to reuse recent passwords - system-auth (add)" | |
| replace: | |
| dest: /etc/pam.d/system-auth | |
| follow: yes | |
| regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$' | |
| replace: '\g<0> remember={{ var_password_pam_unix_remember }}' | |
| tags: | |
| - accounts_password_pam_unix_remember | |
| - medium_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-53-IA-5(1)(e) | |
| - NIST-800-171-3.5.8 | |
| - PCI-DSS-Req-8.2.5 | |
| - CJIS-5.6.2.1.1 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_password_pam_unix_remember:var:1" value-id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember"/> | |
| <check-content-ref name="oval:ssg-accounts_password_pam_unix_remember:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_pam_unix_remember_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Interval For Counting Failed Password Attempts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Utilizing <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_faillock.so</html:code>, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">fail_interval</html:code> directive | |
| configures the system to lock out an accounts after a number of incorrect login | |
| attempts within a specified time period. Modify the content of both | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/password-auth</html:code> as follows: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><html:li>Add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth required pam_faillock.so preauth silent deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li>Add the following line immediately <html:code>after</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li>Add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>ACCOUNT</html:code> section: | |
| <html:pre>account required pam_faillock.so</html:pre></html:li></html:ul></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By limiting the number of failed logon attempts the risk of unauthorized system | |
| access via user password guessing, otherwise known as brute-forcing, is reduced. | |
| Limits are imposed by locking the account.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_passwords_pam_faillock_interval_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Lockout Time For Failed Password Attempts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to lock out accounts after a number of incorrect login | |
| attempts and require an administrator to unlock the account using <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_faillock.so</html:code>, | |
| modify the content of both <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/password-auth</html:code> as follows: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><html:li> add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth required pam_faillock.so preauth silent deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li> add the following line immediately <html:code>after</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>AUTH</html:code> section: | |
| <html:pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=<sub idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></html:pre></html:li><html:li> add the following line immediately <html:code>before</html:code> the <html:code>pam_unix.so</html:code> statement in the <html:code>ACCOUNT</html:code> section: | |
| <html:pre>account required pam_faillock.so</html:pre></html:li></html:ul></description> | |
| <reference href="">5.3.2</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Locking out user accounts after a number of incorrect attempts | |
| prevents direct password guessing attacks. Ensuring that an administrator is | |
| involved in unlocking locked accounts draws appropriate attention to such | |
| situations.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time"/> | |
| <check-content-ref name="oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_passwords_pam_faillock_unlock_time_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Last Logon/Access Notification</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to notify users of last logon/access | |
| using <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_lastlog</html:code>, add or correct the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_lastlog</html:code> settings in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/postlogin</html:code> to read as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet | |
| session [default=1] pam_lastlog.so nowtmp showfailed | |
| session optional pam_lastlog.so silent noupdate showfailed</html:pre></description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Users need to be aware of activity that occurs regarding | |
| their account. Providing users with information regarding the number | |
| of unsuccessful attempts that were made to login to their account | |
| allows the user to determine if any unauthorized activity has occurred | |
| and gives them an opportunity to notify administrators.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-display_login_attempts:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-display_login_attempts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts-restrictions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Conventionally, Unix shell accounts are accessed by | |
| providing a username and password to a login program, which tests | |
| these values for correctness using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> files. Password-based login is vulnerable to | |
| guessing of weak passwords, and to sniffing and man-in-the-middle | |
| attacks against passwords entered over a network or at an insecure | |
| console. Therefore, mechanisms for accessing accounts by entering | |
| usernames and passwords should be restricted to those which are | |
| operationally necessary.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_root_logins"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Root Logins</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Direct root logins should be allowed only for emergency use. | |
| In normal situations, the administrator should access the system | |
| via a unique unprivileged account, and then use <html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> to execute | |
| privileged commands. Discouraging administrators from accessing the | |
| root account directly ensures an audit trail in organizations with | |
| multiple administrators. Locking down the channels through which | |
| root can connect directly also reduces opportunities for | |
| password-guessing against the root account. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">login</html:code> program | |
| uses the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code> to determine which interfaces | |
| should allow root logins. | |
| The virtual devices <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/console</html:code> | |
| and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/tty*</html:code> represent the system consoles (accessible via | |
| the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default | |
| installation). The default securetty file also contains <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/vc/*</html:code>. | |
| These are likely to be deprecated in most environments, but may be retained | |
| for compatibility. Root should also be prohibited from connecting | |
| via network protocols. Other sections of this document | |
| include guidance describing how to prevent root from logging in via SSH.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Serial Port Root Logins</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To restrict root logins on serial ports, | |
| ensure lines of this form do not appear in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ttyS0 | |
| ttyS1</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000770</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Preventing direct root login to serial port interfaces | |
| helps ensure accountability for actions taken on the systems | |
| using the root account.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="restrict_serial_port_logins" system="urn:xccdf:fix:script:sh">sed -i '/ttyS/d' /etc/securetty | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="restrict_serial_port_logins" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Restrict Serial Port Root Logins" | |
| lineinfile: | |
| dest: /etc/securetty | |
| regexp: 'ttyS[0-9]' | |
| state: absent | |
| tags: | |
| - restrict_serial_port_logins | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6(2) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-restrict_serial_port_logins:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-restrict_serial_port_logins_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that System Accounts Do Not Run a Shell Upon Login</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some accounts are not associated with a human user of the system, and exist to | |
| perform some administrative function. Should an attacker be able to log into | |
| these accounts, they should not be granted access to a shell. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The login shell for each local account is stored in the last field of each line | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>. System accounts are those user accounts with a user ID | |
| less than UID_MIN, where value of UID_MIN directive is set in | |
| /etc/login.defs configuration file. In the default configuration UID_MIN is set | |
| to 1000, thus system accounts are those user accounts with a user ID less than | |
| 1000. The user ID is stored in the third field. If any system account | |
| <html:i xmlns:html="http://www.w3.org/1999/xhtml">SYSACCT</html:i> (other than root) has a login shell, disable it with the | |
| command: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo usermod -s /sbin/nologin <html:i>SYSACCT</html:i></html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="functionality">Do not perform the steps in this section on the root account. Doing so might | |
| cause the system to become inaccessible.</warning> | |
| <reference href="">5.4.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensuring shells are not given to system accounts upon login makes it more | |
| difficult for attackers to make use of system accounts.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-no_shelllogin_for_systemaccounts:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_root_path_default" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Root Path Must Be Vendor Default</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Assuming root shell is bash, edit the following files: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">~/.profile</html:pre> | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">~/.bashrc</html:pre> | |
| Change any <html:code xmlns:html="http://www.w3.org/1999/xhtml">PATH</html:code> variables to the vendor default for root and remove any | |
| empty <html:code xmlns:html="http://www.w3.org/1999/xhtml">PATH</html:code> entries or references to relative paths.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The root account's executable search path must be the vendor default, and must | |
| contain only absolute paths.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-root_path_default_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Only Root Has UID 0</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any account other than root has a UID of 0, this misconfiguration should | |
| be investigated and the accounts other than root should be removed or | |
| have their UID changed. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| If the account is associated with system commands or applications the UID should be changed | |
| to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that | |
| has not already been assigned.</description> | |
| <reference href="">6.2.5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An account has root authority if it has a UID of 0. Multiple accounts | |
| with a UID of 0 afford more opportunity for potential intruders to | |
| guess a password for a privileged account. Proper configuration of | |
| sudo is recommended to afford multiple system administrators | |
| access to root privileges in an accountable manner.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-accounts_no_uid_except_zero:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Virtual Console Root Logins</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To restrict root logins through the (deprecated) virtual console devices, | |
| ensure lines of this form do not appear in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">vc/1 | |
| vc/2 | |
| vc/3 | |
| vc/4</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000770</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Preventing direct root login to virtual console devices | |
| helps ensure accountability for actions taken on the system | |
| using the root account.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="securetty_root_login_console_only" system="urn:xccdf:fix:script:sh">sed -i '/^vc\//d' /etc/securetty | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="securetty_root_login_console_only" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Restrict Virtual Console Root Logins" | |
| lineinfile: | |
| dest: /etc/securetty | |
| regexp: '^vc' | |
| state: absent | |
| tags: | |
| - securetty_root_login_console_only | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-6(2) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-securetty_root_login_console_only:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that System Accounts Are Locked</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some accounts are not associated with a human user of the system, and exist to | |
| perform some administrative function. An attacker should not be able to log into | |
| these accounts. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| System accounts are those user accounts with a user ID | |
| less than UID_MIN, where value of the UID_MIN directive is set in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> configuration file. In the default configuration UID_MIN is set | |
| to 500, thus system accounts are those user accounts with a user ID less than | |
| 500. If any system account <html:i xmlns:html="http://www.w3.org/1999/xhtml">SYSACCT</html:i> (other than root) has an unlocked password, | |
| disable it with the command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo passwd -l <html:i>SYSACCT</html:i></html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling authentication for default system accounts makes it more difficult | |
| for attackers to make use of them to compromise a system.false</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Direct root Logins Not Allowed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To further limit access to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> account, administrators | |
| can disable root logins at the console by editing the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code> file. | |
| This file lists all devices the root user is allowed to login to. If the file does | |
| not exist at all, the root user can login through any communication device on the | |
| system, whether via the console or via a raw network interface. This is dangerous | |
| as user can login to the system as root via Telnet, which sends the password in | |
| plain text over the network. By default, Red Hat Enteprise Linux's | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code> file only allows the root user to login at the console | |
| physically attached to the system. To prevent root from logging in, remove the | |
| contents of this file. To prevent direct root logins, remove the contents of this | |
| file by typing the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"> | |
| $ sudo echo > /etc/securetty | |
| </html:pre></description> | |
| <reference href="">5.5</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.6</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling direct root logins ensures proper accountability and multifactor | |
| authentication to privileged accounts. Users will first login, then escalate | |
| to privileged (root) access via su / sudo. This is required for FISMA Low | |
| and FISMA Moderate systems.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="no_direct_root_logins" system="urn:xccdf:fix:script:sh">echo > /etc/securetty | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="no_direct_root_logins" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: "Direct root Logins Not Allowed" | |
| shell: echo > /etc/securetty | |
| tags: | |
| - no_direct_root_logins | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-2(1) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.6 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-no_direct_root_logins:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Web Browser Use for Administrative Accounts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enforce policy requiring administrative accounts use web browsers only for | |
| local service administration.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a browser vulnerability is exploited while running with administrative privileges, | |
| the entire system could be compromised. Specific exceptions for local service | |
| administration should be documented in site-defined policy.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_root_webbrowsing_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_password_storage"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Proper Storage and Existence of Password | |
| Hashes</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, password hashes for local accounts are stored | |
| in the second field (colon-separated) in | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code>. This file should be readable only by | |
| processes running with root credentials, preventing users from | |
| casually accessing others' password hashes and attempting | |
| to crack them. | |
| However, it remains possible to misconfigure the system | |
| and store password hashes | |
| in world-readable files such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, or | |
| to even store passwords themselves in plaintext on the system. | |
| Using system-provided tools for password change/creation | |
| should allow administrators to avoid such misconfiguration.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify No netrc Files Exist</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code> files contain login information | |
| used to auto-login into FTP servers and reside in the user's home | |
| directory. These files may contain unencrypted passwords to | |
| remote FTP servers making them susceptible to access by unauthorized | |
| users and should not be used. Any <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code> files should be removed.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unencrypted passwords for remote FTP servers may be stored in <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code> | |
| files. DoD policy requires passwords be encrypted in storage and not used | |
| in access scripts.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-no_netrc_files:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_netrc_files_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="false" severity="low"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All GIDs referenced in /etc/passwd must be defined in /etc/group</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add a group to the system for each GID referenced without a corresponding group.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000764</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.5.a</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group | |
| with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to | |
| any files associated with the group.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-gid_passwd_group_same:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify All Account Password Hashes are Shadowed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any password hashes are stored in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> (in the second field, | |
| instead of an <html:code xmlns:html="http://www.w3.org/1999/xhtml">x</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">*</html:code>), the cause of this misconfiguration should be | |
| investigated. The account should have its password reset and the hash should be | |
| properly stored, or the account should be deleted entirely.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.10</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The hashes for all user account passwords should be stored in | |
| the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> and never in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, | |
| which is readable by all users.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-accounts_password_all_shadowed:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Prevent Log In to Accounts With Empty Password</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If an account is configured for password authentication | |
| but does not have an assigned password, it may be possible to log | |
| into the account without authentication. Remove any instances of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nullok</html:code> | |
| option in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> to | |
| prevent logins with empty passwords.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If an account has an empty password, anyone could log in and | |
| run commands with the privileges of that account. Accounts with | |
| empty passwords should never be used in operational environments.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="no_empty_passwords" system="urn:xccdf:fix:script:sh">sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth | |
| sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="no_empty_passwords" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium" strategy="configure">- name: "Prevent Log In to Accounts With Empty Password - system-auth" | |
| replace: | |
| dest: /etc/pam.d/system-auth | |
| follow: yes | |
| regexp: 'nullok' | |
| tags: | |
| - no_empty_passwords | |
| - high_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-53-IA-5(b) | |
| - NIST-800-53-IA-5(c) | |
| - NIST-800-53-IA-5(1)(a) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| - PCI-DSS-Req-8.2.3 | |
| - CJIS-5.5.2 | |
| - name: "Prevent Log In to Accounts With Empty Password - password-auth" | |
| replace: | |
| dest: /etc/pam.d/password-auth | |
| follow: yes | |
| regexp: 'nullok' | |
| tags: | |
| - no_empty_passwords | |
| - high_severity | |
| - configure_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-6 | |
| - NIST-800-53-IA-5(b) | |
| - NIST-800-53-IA-5(c) | |
| - NIST-800-53-IA-5(1)(a) | |
| - NIST-800-171-3.1.1 | |
| - NIST-800-171-3.1.5 | |
| - PCI-DSS-Req-8.2.3 | |
| - CJIS-5.5.2 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-no_empty_passwords:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-no_empty_passwords_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_account_expiration"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Account Expiration Parameters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accounts can be configured to be automatically disabled | |
| after a certain time period, | |
| meaning that they will require administrator interaction to become usable again. | |
| Expiration of accounts after inactivity can be set for all accounts by default | |
| and also on a per-account basis, such as for accounts that are known to be temporary. | |
| To configure automatic expiration of an account following | |
| the expiration of its password (that is, after the password has expired and not been changed), | |
| run the following command, substituting <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>NUM_DAYS</html:i></html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>USER</html:i></html:code> appropriately: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chage -I <html:i>NUM_DAYS USER</html:i></html:pre> | |
| Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">-E</html:code> option. | |
| The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/default/useradd</html:code> controls | |
| default settings for all newly-created accounts created with the system's | |
| normal command line utilities.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning> | |
| <Value id="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">number of days after a password expires until the account is permanently disabled</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days to wait after a password expires, until the account will be permanently disabled.</description> | |
| <value selector="0">0</value> | |
| <value selector="180">180</value> | |
| <value selector="30">30</value> | |
| <value selector="35">35</value> | |
| <value selector="40">40</value> | |
| <value selector="60">60</value> | |
| <value selector="90">90</value> | |
| <value>35</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_account_temp_expire_date" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Assign Expiration Date to Temporary Accounts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Temporary accounts are established as part of normal account activation procedures | |
| when there is a need for short-term accounts. In the event temporary | |
| or emergency accounts are required, configure the system to terminate | |
| them after a documented time period. For every temporary and | |
| emergency account, run the following command to set an expiration date on it, | |
| substituting <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>USER</html:i></html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>YYYY-MM-DD</html:i></html:code> appropriately: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chage -E <html:i>YYYY-MM-DD USER</html:i></html:pre> | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>YYYY-MM-DD</html:i></html:code> indicates the documented expiration date for the account. | |
| For U.S. Government systems, the operating system must be configured to automatically terminate | |
| these types of accounts after a period of 72 hours.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000016</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001682</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</reference> | |
| <reference href="">2</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If temporary user accounts remain active when no longer needed or for | |
| an excessive period, these accounts may be used to gain unauthorized access. | |
| To mitigate this risk, automated termination of all temporary accounts | |
| must be set upon account creation. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/></rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-account_temp_expire_date_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Account Expiration Following Inactivity</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify the number of days after a password expires (which | |
| signifies inactivity) until an account is permanently disabled, add or correct | |
| the following lines in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/default/useradd</html:code>, substituting | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>NUM_DAYS</html:i></html:code> appropriately: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">INACTIVE=<html:i><sub idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/></html:i></html:pre> | |
| A value of 35 is recommended; however, this profile expects that the value is set to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><sub idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/></html:code>. | |
| If a password is currently on the | |
| verge of expiration, then 35 days remain until the account is automatically | |
| disabled. However, if the password will not expire for another 60 days, then 95 | |
| days could elapse until the account would be automatically disabled. See the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">useradd</html:code> man page for more information. Determining the inactivity | |
| timeout must be done with careful consideration of the length of a "normal" | |
| period of inactivity for users in the particular environment. Setting | |
| the timeout too low incurs support costs and also has the potential to impact | |
| availability of the system to legitimate users.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000795</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.4</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000118-GPOS-00060</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling inactive accounts ensures that accounts which may not | |
| have been responsibly removed are not available to attackers | |
| who may have compromised their credentials.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="account_disable_post_pw_expiration" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable | |
| set_fact: | |
| var_account_disable_post_pw_expiration: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Set Account Expiration Following Inactivity | |
| lineinfile: | |
| create: yes | |
| dest: /etc/default/useradd | |
| regexp: ^INACTIVE | |
| line: "INACTIVE={{ var_account_disable_post_pw_expiration }}" | |
| tags: | |
| - account_disable_post_pw_expiration | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-2(2) | |
| - NIST-800-53-AC-2(3) | |
| - NIST-800-53-IA-4(e) | |
| - NIST-800-171-3.5.6 | |
| - PCI-DSS-Req-8.1.4 | |
| - CJIS-5.6.2.1.1 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-account_disable_post_pw_expiration_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Centralized and Automated Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Implement an automated system for managing user accounts that minimizes the | |
| risk of errors, either intentional or deliberate. This system | |
| should integrate with an existing enterprise user management system, such as | |
| one based on Identity Management tools such as Active Directory, Kerberos, | |
| Directory Server, etc.</description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A comprehensive account management process that includes automation helps to | |
| ensure the accounts designated as requiring attention are consistently and | |
| promptly addressed. Enterprise environments make user account management | |
| challenging and complex. A user management process requiring administrators to | |
| manually address account management functions adds risk of potential | |
| oversight.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_account_unique_name" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Accounts on the System Have Unique Names</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Change usernames, or delete accounts, so each has a unique name.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000770</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000804</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.1</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unique usernames allow for accountability on the system.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-account_unique_name:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-account_unique_name_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_password_expiration"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Expiration Parameters</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> controls several | |
| password-related settings. Programs such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">passwd</html:code>, | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code>, and | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">login</html:code> consult <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> to determine | |
| behavior with regard to password aging, expiration warnings, | |
| and length. See the man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">login.defs(5)</html:code> for more information. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Users should be forced to change their passwords, in order to | |
| decrease the utility of compromised passwords. However, the need to | |
| change passwords often should be balanced against the risk that | |
| users will reuse or write down passwords if forced to change them | |
| too often. Forcing password changes every 90-360 days, depending on | |
| the environment, is recommended. Set the appropriate value as | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS</html:code> and apply it to existing accounts with the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">-M</html:code> flag. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS</html:code> (<html:code xmlns:html="http://www.w3.org/1999/xhtml">-m</html:code>) setting prevents password | |
| changes for 7 days after the first change, to discourage password | |
| cycling. If you use this setting, train users to contact an administrator | |
| for an emergency password change in case a new password becomes | |
| compromised. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_WARN_AGE</html:code> (<html:code xmlns:html="http://www.w3.org/1999/xhtml">-W</html:code>) setting gives | |
| users 7 days of warnings at login time that their passwords are about to expire. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For example, for each existing human user <html:i xmlns:html="http://www.w3.org/1999/xhtml">USER</html:i>, expiration parameters | |
| could be adjusted to a 180 day maximum password age, 7 day minimum password | |
| age, and 7 day warning period with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chage -M 180 -m 7 -W 7 USER</html:pre></description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">warning days before password expires</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days' warning given before a password expires.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning> | |
| <value selector="0">0</value> | |
| <value selector="14">14</value> | |
| <value selector="7">7</value> | |
| <value>7</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minimum password age</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum age of password in days</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning> | |
| <value selector="0">0</value> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="5">5</value> | |
| <value selector="7">7</value> | |
| <value>7</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">maximum password age</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum age of password in days</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning> | |
| <value selector="120">120</value> | |
| <value selector="180">180</value> | |
| <value selector="60">60</value> | |
| <value selector="90">90</value> | |
| <value>60</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minimum password length</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters in password</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only check new passwords</warning> | |
| <value selector="10">10</value> | |
| <value selector="12">12</value> | |
| <value selector="14">14</value> | |
| <value selector="15">15</value> | |
| <value selector="6">6</value> | |
| <value selector="8">8</value> | |
| <value>15</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Maximum Age</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password maximum age for new accounts, | |
| edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> | |
| and add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">PASS_MAX_DAYS <sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></html:pre> | |
| A value of 180 days is sufficient for many environments. | |
| The DoD requirement is 60. | |
| The profile requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></html:code>.</description> | |
| <reference href="">5.4.1.1</reference> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000199</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(g)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000076-GPOS-00044</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Any password, no matter how complex, can eventually be cracked. Therefore, passwords | |
| need to be changed periodically. If the operating system does not limit the lifetime | |
| of passwords and force users to change their passwords, there is the risk that the | |
| operating system passwords could be compromised. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Setting the password maximum age ensures users are required to | |
| periodically change their passwords. Requiring shorter password lifetimes | |
| increases the risk of users writing down the password in a convenient | |
| location subject to physical compromise.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_maximum_age_login_defs" system="urn:xccdf:fix:script:sh"> | |
| declare var_accounts_maximum_age_login_defs | |
| var_accounts_maximum_age_login_defs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>" | |
| grep -q ^PASS_MAX_DAYS /etc/login.defs && \ | |
| sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs | |
| if ! [ $? -eq 0 ] | |
| then | |
| echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_maximum_age_login_defs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable | |
| set_fact: | |
| var_accounts_maximum_age_login_defs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Set Password Maximum Age | |
| lineinfile: | |
| create: yes | |
| dest: /etc/login.defs | |
| regexp: ^#?PASS_MAX_DAYS | |
| line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}" | |
| tags: | |
| - accounts_maximum_age_login_defs | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-53-IA-5(g) | |
| - NIST-800-53-IA-5(1)(d) | |
| - NIST-800-171-3.5.6 | |
| - PCI-DSS-Req-8.2.4 | |
| - CJIS-5.6.2.1 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_maximum_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/> | |
| <check-content-ref name="oval:ssg-accounts_maximum_age_login_defs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Warning Age</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify how many days prior to password | |
| expiration that a warning will be issued to users, | |
| edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> and add or correct | |
| the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">PASS_WARN_AGE <sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></html:pre> | |
| The DoD requirement is 7. | |
| The profile requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></html:code>.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the password warning age enables users to | |
| make the change at a practical time.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_warn_age_login_defs" system="urn:xccdf:fix:script:sh"> | |
| declare var_accounts_password_warn_age_login_defs | |
| var_accounts_password_warn_age_login_defs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>" | |
| grep -q ^PASS_WARN_AGE /etc/login.defs && \ | |
| sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs | |
| if ! [ $? -eq 0 ] | |
| then | |
| echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_warn_age_login_defs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable | |
| set_fact: | |
| var_accounts_password_warn_age_login_defs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Set Password Warning Age" | |
| lineinfile: | |
| dest: /etc/login.defs | |
| regexp: "^PASS_WARN_AGE *[0-9]*" | |
| state: present | |
| line: "PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}" | |
| tags: | |
| - accounts_password_warn_age_login_defs | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-2(2) | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-171-3.5.8 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_password_warn_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/> | |
| <check-content-ref name="oval:ssg-accounts_password_warn_age_login_defs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_warn_age_login_defs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Length in login.defs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password length requirements for new accounts, | |
| edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> and add or correct the following | |
| line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">PASS_MIN_LEN <sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The DoD requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">15</html:code>. | |
| The FISMA requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">12</html:code>. | |
| The profile requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></html:code>. | |
| If a program consults <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> and also another PAM module | |
| (such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_pwquality</html:code>) during a password change operation, | |
| then the most restrictive must be satisfied. See PAM section | |
| for more information about enforcing password quality requirements.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Requiring a minimum password length makes password | |
| cracking attacks more difficult by ensuring a larger | |
| search space. However, any security benefit from an onerous requirement | |
| must be carefully weighed against usability problems, support costs, or counterproductive | |
| behavior that may result.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_minlen_login_defs" system="urn:xccdf:fix:script:sh"> | |
| declare var_accounts_password_minlen_login_defs | |
| var_accounts_password_minlen_login_defs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>" | |
| grep -q ^PASS_MIN_LEN /etc/login.defs && \ | |
| sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs | |
| if ! [ $? -eq 0 ] | |
| then | |
| echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_password_minlen_login_defs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable | |
| set_fact: | |
| var_accounts_password_minlen_login_defs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Set Password Minimum Length in login.defs" | |
| lineinfile: | |
| dest: /etc/login.defs | |
| regexp: "^PASS_MIN_LEN *[0-9]*" | |
| state: present | |
| line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}" | |
| tags: | |
| - accounts_password_minlen_login_defs | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-53-IA-5(1)(a) | |
| - NIST-800-171-3.5.7 | |
| - CJIS-5.6.2.1 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_password_minlen_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/> | |
| <check-content-ref name="oval:ssg-accounts_password_minlen_login_defs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_password_minlen_login_defs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Age</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password minimum age for new accounts, | |
| edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> | |
| and add or correct the following line: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">PASS_MIN_DAYS <sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></html:pre> | |
| A value of 1 day is considered sufficient for many | |
| environments. The DoD requirement is 1. | |
| The profile requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2"><sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></html:code>.</description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000198</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000075-GPOS-00043</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat | |
| the password reuse or history enforcement requirement. If users are allowed to immediately | |
| and continually change their password, then the password could be repeatedly changed in a | |
| short period of time to defeat the organization's policy regarding password reuse. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Setting the minimum password age protects against users cycling back to a favorite password | |
| after satisfying the password reuse requirement.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_minimum_age_login_defs" system="urn:xccdf:fix:script:sh"> | |
| declare var_accounts_minimum_age_login_defs | |
| var_accounts_minimum_age_login_defs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/>" | |
| grep -q ^PASS_MIN_DAYS /etc/login.defs && \ | |
| sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs | |
| if ! [ $? -eq 0 ] | |
| then | |
| echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs | |
| fi | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_minimum_age_login_defs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable | |
| set_fact: | |
| var_accounts_minimum_age_login_defs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Set Password Minimum Age | |
| lineinfile: | |
| create: yes | |
| dest: /etc/login.defs | |
| regexp: ^#?PASS_MIN_DAYS | |
| line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}" | |
| tags: | |
| - accounts_minimum_age_login_defs | |
| - medium_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-IA-5(f) | |
| - NIST-800-53-IA-5(1)(d) | |
| - NIST-800-171-3.5.8 | |
| - CJIS-5.6.2.1.1 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_accounts_minimum_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/> | |
| <check-content-ref name="oval:ssg-accounts_minimum_age_login_defs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts-banners"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Warning Banners for System Accesses</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Each system should expose as little information about | |
| itself as possible. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| System banners, which are typically displayed just before a | |
| login prompt, give out information about the service or the host's | |
| operating system. This might include the distribution name and the | |
| system kernel version, and the particular version of a network | |
| service. This information can assist intruders in gaining access to | |
| the system as it can reveal whether the system is running | |
| vulnerable software. Most network services can be configured to | |
| limit what information is displayed. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Many organizations implement security policies that require a | |
| system banner provide notice of the system's ownership, provide | |
| warning to unauthorized users, and remind authorized users of their | |
| consent to monitoring.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_login_banner_text" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Login Banner Verbiage</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must | |
| be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description> | |
| <value selector="dod_banners">^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)</value> | |
| <value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value> | |
| <value selector="dod_short">I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreement.</value> | |
| <value selector="dss_odaa_default">[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.</value> | |
| <value selector="usgcb_default">--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_gui_login_banner"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Implement a GUI Warning Banner</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, users logging | |
| directly into the system are greeted with a login screen provided | |
| by the GNOME Display Manager (GDM). The warning banner should be | |
| displayed in this graphical environment for these users. | |
| The following sections describe how to configure the GDM login | |
| banner.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set the GNOME3 Login Warning Banner Text</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, configuring the login warning banner text | |
| in the GNOME Display Manager's login screen can be configured on the login | |
| screen by setting <html:code xmlns:html="http://www.w3.org/1999/xhtml">banner-message-text</html:code> to <html:code xmlns:html="http://www.w3.org/1999/xhtml">string '<html:i>APPROVED_BANNER</html:i>'</html:code> | |
| where <html:i xmlns:html="http://www.w3.org/1999/xhtml">APPROVED_BANNER</html:i> is the approved banner for your environment. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To enable, add or edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">banner-message-text</html:code> to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/00-security-settings</html:code>. For example: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[org/gnome/login-screen] | |
| banner-message-text='<html:i>APPROVED_BANNER</html:i>'</html:pre> | |
| Once the setting has been added, add a lock to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks/00-security-settings-lock</html:code> to prevent user modification. | |
| For example: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-text</html:pre> | |
| After the settings have been set, run <html:code xmlns:html="http://www.w3.org/1999/xhtml">dconf update</html:code>. | |
| When entering a warning banner that spans several lines, remember | |
| to begin and end the string with <html:code xmlns:html="http://www.w3.org/1999/xhtml">'</html:code> and use <html:code xmlns:html="http://www.w3.org/1999/xhtml">\n</html:code> for new lines.</description> | |
| <reference href="">1.7.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An appropriate warning message reinforces policy awareness during the logon | |
| process and facilitates possible legal action against attackers.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="dconf_gnome_login_banner_text" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium">- name: XCCDF Value login_banner_text # promote to variable | |
| set_fact: | |
| login_banner_text: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_login_banner_text" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Set the GNOME3 Login Warning Banner Text" | |
| file: | |
| path: "/etc/dconf/db/{{ item }}" | |
| owner: root | |
| group: root | |
| mode: 0755 | |
| state: directory | |
| with_items: | |
| - gdm.d | |
| - gdm.d/locks | |
| tags: | |
| - dconf_gnome_login_banner_text | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c) | |
| - NIST-800-171-3.1.9 | |
| - name: "Set the GNOME3 Login Warning Banner Text" | |
| file: | |
| path: "/etc/dconf/db/gdm.d/{{ item }}" | |
| owner: root | |
| group: root | |
| mode: 0644 | |
| state: touch | |
| with_items: | |
| - 00-security-settings | |
| - locks/00-security-settings-lock | |
| tags: | |
| - dconf_gnome_login_banner_text | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c) | |
| - NIST-800-171-3.1.9 | |
| - name: "Set the GNOME3 Login Warning Banner Text" | |
| ini_file: | |
| dest: /etc/dconf/db/gdm.d/00-security-settings | |
| section: org/gnome/login-screen | |
| option: banner-message-text | |
| value: string '{{ login_banner_text }}' | |
| create: yes | |
| tags: | |
| - dconf_gnome_login_banner_text | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c) | |
| - NIST-800-171-3.1.9 | |
| - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" | |
| lineinfile: | |
| path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' | |
| regexp: '^org/gnome/login-screen/banner-message-text$' | |
| line: 'org/gnome/login-screen/banner-message-text' | |
| create: yes | |
| state: present | |
| tags: | |
| - dconf_gnome_login_banner_text | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c) | |
| - NIST-800-171-3.1.9 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-login_banner_text:var:1" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/> | |
| <check-content-ref name="oval:ssg-dconf_gnome_login_banner_text:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-dconf_gnome_login_banner_text_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_gconf_gdm_enable_warning_gui_banner" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable GUI Warning Banner</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To enable displaying a login warning banner in the GNOME | |
| Display Manager's login screen, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo gconftool-2 --direct \ | |
| --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
| --type bool \ | |
| --set /apps/gdm/simple-greeter/banner_message_enable true</html:pre> | |
| To display a banner, this setting must be enabled and then | |
| banner text must also be set.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An appropriate warning message reinforces policy awareness during the login | |
| process and facilitates possible legal action against attackers.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-gconf_gdm_enable_warning_gui_banner_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable GNOME3 Login Warning Banner</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, displaying a login warning banner | |
| in the GNOME Display Manager's login screen can be enabled on the login | |
| screen by setting <html:code xmlns:html="http://www.w3.org/1999/xhtml">banner-message-enable</html:code> to <html:code xmlns:html="http://www.w3.org/1999/xhtml">true</html:code>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To enable, add or edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">banner-message-enable</html:code> to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/00-security-settings</html:code>. For example: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">[org/gnome/login-screen] | |
| banner-message-enable=true</html:pre> | |
| Once the setting has been added, add a lock to | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks/00-security-settings-lock</html:code> to prevent user modification. | |
| For example: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-enable</html:pre> | |
| After the settings have been set, run <html:code xmlns:html="http://www.w3.org/1999/xhtml">dconf update</html:code>. | |
| The banner text must also be set.</description> | |
| <reference href="">1.7.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</reference> | |
| <reference href="">OS-SRG-000023-GPOS-00006</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Display of a standardized and approved use notification before granting access to the operating system | |
| ensures privacy and security notification verbiage used is consistent with applicable federal laws, | |
| Executive Orders, directives, policies, regulations, standards, and guidance. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For U.S. Government systems, system use notifications are required only for access via login interfaces | |
| with human users and are not required when such human interfaces do not exist.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="dconf_gnome_banner_enabled" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium">- name: "Enable GNOME3 Login Warning Banner" | |
| ini_file: | |
| dest: "/etc/dconf/db/local.d/00-security-settings" | |
| section: "org/gnome/login-screen" | |
| option: banner-message-enable | |
| value: "true" | |
| create: yes | |
| tags: | |
| - dconf_gnome_banner_enabled | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c)(1) | |
| - NIST-800-53-AC-8(c)(2) | |
| - NIST-800-53-AC-8(c)(3) | |
| - NIST-800-171-3.1.9 | |
| - name: "Prevent user modification of GNOME banner-message-enabled" | |
| lineinfile: | |
| path: /etc/dconf/db/local.d/locks/00-security-settings-lock | |
| regexp: '^/org/gnome/login-screen/banner-message-enable' | |
| line: '/org/gnome/login-screen/banner-message-enable' | |
| create: yes | |
| tags: | |
| - dconf_gnome_banner_enabled | |
| - medium_severity | |
| - unknown_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-AC-8(a) | |
| - NIST-800-53-AC-8(b) | |
| - NIST-800-53-AC-8(c)(1) | |
| - NIST-800-53-AC-8(c)(2) | |
| - NIST-800-53-AC-8(c)(3) | |
| - NIST-800-171-3.1.9 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-dconf_gnome_banner_enabled:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-dconf_gnome_banner_enabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_gconf_gdm_set_login_banner_text" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set GUI Warning Banner Text</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the text shown by the GNOME Display Manager | |
| in the login screen, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo gconftool-2 --direct \ | |
| --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
| --type string \ | |
| --set /apps/gdm/simple-greeter/banner_message_text \ | |
| "Text of the warning banner here"</html:pre> | |
| When entering a warning banner that spans several lines, remember | |
| to begin and end the string with <html:code xmlns:html="http://www.w3.org/1999/xhtml">"</html:code>. This command writes | |
| directly either to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</html:code> | |
| if it exists or to the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml</html:code>. | |
| Either of these files can later be edited directly if necessary.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An appropriate warning message reinforces policy awareness during the login | |
| process and facilitates possible legal action against attackers.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-gconf_gdm_set_login_banner_text_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Modify the System Login Banner</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system login banner edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/issue</html:code>. Replace | |
| the default text with a message compliant with the local site policy | |
| or a legal disclaimer. | |
| The DoD required text is either: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">You are accessing a U.S. Government (USG) Information System (IS) that is | |
| provided for USG-authorized use only. By using this IS (which includes any | |
| device attached to this IS), you consent to the following conditions: | |
| <html:br/>-The USG routinely intercepts and monitors communications on this IS for purposes | |
| including, but not limited to, penetration testing, COMSEC monitoring, network | |
| operations and defense, personnel misconduct (PM), law enforcement (LE), and | |
| counterintelligence (CI) investigations. | |
| <html:br/>-At any time, the USG may inspect and seize data stored on this IS. | |
| <html:br/>-Communications using, or data stored on, this IS are not private, are subject | |
| to routine monitoring, interception, and search, and may be disclosed or used | |
| for any USG-authorized purpose. | |
| <html:br/>-This IS includes security measures (e.g., authentication and access controls) | |
| to protect USG interests -- not for your personal benefit or privacy. | |
| <html:br/>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative | |
| searching or monitoring of the content of privileged communications, or work | |
| product, related to personal representation or services by attorneys, | |
| psychotherapists, or clergy, and their assistants. Such communications and work | |
| product are private and confidential. See User Agreement for details.</html:code> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| OR: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">I've read & consent to terms in IS user agreem't.</html:code></description> | |
| <reference href="">1.7.1.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Display of a standardized and approved use notification before granting access to the operating system | |
| ensures privacy and security notification verbiage used is consistent with applicable federal laws, | |
| Executive Orders, directives, policies, regulations, standards, and guidance. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| System use notifications are required only for access via login interfaces with human users and | |
| are not required when such human interfaces do not exist.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-login_banner_text:var:1" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/> | |
| <check-content-ref name="oval:ssg-banner_etc_issue:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-banner_etc_issue_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts-physical"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Physical Console Access</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">It is impossible to fully protect a system from an | |
| attacker with physical access, so securing the space in which the | |
| system is located should be considered a necessary step. However, | |
| there are some steps which, if taken, make it more difficult for an | |
| attacker to quickly or undetectably modify a system from its | |
| console.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_screen_locking"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Screen Locking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user must temporarily leave an account | |
| logged-in, screen locking should be employed to prevent passersby | |
| from abusing the account. User education and training is | |
| particularly important for screen locking to be effective, and policies | |
| can be implemented to reinforce this. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Automatic screen locking is only meant as a safeguard for | |
| those cases where a user forgot to lock the screen.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_smart_card_login"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Hardware Tokens for Authentication</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The use of hardware tokens such as smart cards for system login | |
| provides stronger, two-factor authentication than using a username and password. | |
| In Red Hat Enterprise Linux servers and workstations, hardware token login | |
| is not enabled by default and must be enabled in the system settings.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Smart Card Login</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To enable smart card authentication, consult the documentation at: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"> | |
| </html:ul> | |
| For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: | |
| <html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:b><html:a href="https://access.redhat.com/solutions/82273">https://access.redhat.com/solutions/82273</html:a></html:b></html:li></html:ul></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000765</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000766</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000767</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000768</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000771</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000772</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000884</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(2)</reference> | |
| <reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000106-GPOS-00053</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000107-GPOS-00054</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000109-GPOS-00056</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00055</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00057</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00058</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Smart card login provides two-factor authentication stronger than | |
| that provided by a username and password combination. Smart cards leverage PKI | |
| (public key infrastructure) in order to provide and verify credentials.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-smartcard_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_console_screen_locking"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Console Screen Locking</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A console screen locking mechanism is provided in the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">screen</html:code> package, which is not installed by default.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install the screen Package</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To enable console screen locking, install the <html:code xmlns:html="http://www.w3.org/1999/xhtml">screen</html:code> package: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum install screen</html:pre> | |
| Instruct users to begin new terminal sessions with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ screen</html:pre> | |
| The console can now be locked with the following key combination: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ctrl+a x</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate | |
| physical vicinity of the information system but des not logout because of the temporary nature of the absence. | |
| Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, | |
| operating systems need to be able to identify when a user's session has idled and take action to initiate the | |
| session lock. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">screen</html:code> package allows for a session lock to be implemented and configured.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-package_screen_installed_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that Interactive Boot is Disabled</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Red Hat Enterprise Linux systems support an "interactive boot" option that can | |
| be used to prevent services from being started. On a Red Hat Enterprise Linux 7 | |
| system, interactive boot can be enabled by providing a <html:code xmlns:html="http://www.w3.org/1999/xhtml">1</html:code>, | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">yes</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">true</html:code>, or <html:code xmlns:html="http://www.w3.org/1999/xhtml">on</html:code> value to the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">systemd.confirm_spawn</html:code> kernel argument in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/default/grub</html:code>. | |
| Remove any instance of <html:pre xmlns:html="http://www.w3.org/1999/xhtml">systemd.confirm_spawn=(1|yes|true|on)</html:pre> from | |
| the kernel arguments in that file to disable interactive boot.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Using interactive boot, the console user could disable auditing, firewalls, | |
| or other services, weakening system security.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-grub2_disable_interactive_boot:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="false" severity="high"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, <html:code xmlns:html="http://www.w3.org/1999/xhtml">SystemD</html:code> will reboot the system if the <html:code xmlns:html="http://www.w3.org/1999/xhtml">Ctrl-Alt-Del</html:code> | |
| key sequence is pressed. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| To configure the system to ignore the <html:code xmlns:html="http://www.w3.org/1999/xhtml">Ctrl-Alt-Del</html:code> key sequence from the | |
| command line instead of rebooting the system, do either of the following: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</html:pre> | |
| or | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">systemctl mask ctrl-alt-del.target</html:pre> | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Do not simply delete the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/lib/systemd/system/ctrl-alt-del.service</html:code> file, | |
| as this file may be restored during future system updates.</description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="functionality">Disabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">Ctrl-Alt-Del</html:code> key sequence | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</html:code> DOES NOT disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">Ctrl-Alt-Del</html:code> | |
| key sequence if running in <html:code xmlns:html="http://www.w3.org/1999/xhtml">runlevel 6</html:code> (e.g. in GNOME, KDE, etc.)! The | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">Ctrl-Alt-Del</html:code> key sequence will only be disabled if running in | |
| the non-graphical <html:code xmlns:html="http://www.w3.org/1999/xhtml">runlevel 3</html:code>.</warning> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A locally logged-in user who presses Ctrl-Alt-Del, when at the console, | |
| can reboot the system. If accidentally pressed, as could happen in | |
| the case of mixed OS environment, this can create the risk of short-term | |
| loss of availability of systems due to unintentional reboot.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="disable_ctrlaltdel_reboot" system="urn:xccdf:fix:script:sh"># Reference: https://access.redhat.com/solutions/1123873 | |
| systemctl mask ctrl-alt-del.target | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-disable_ctrlaltdel_reboot:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-disable_ctrlaltdel_reboot_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable debug-shell SystemD Service</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SystemD's <html:code xmlns:html="http://www.w3.org/1999/xhtml">debug-shell</html:code> service is intended to | |
| diagnose SystemD related boot issues with various <html:code xmlns:html="http://www.w3.org/1999/xhtml">systemctl</html:code> | |
| commands. Once enabled and following a system reboot, the root shell | |
| will be available on <html:code xmlns:html="http://www.w3.org/1999/xhtml">tty9</html:code> which is access by pressing | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">CTRL-ALT-F9</html:code>. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">debug-shell</html:code> service should only be used | |
| for SystemD related issues and should otherwise be disabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| By default, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">debug-shell</html:code> SystemD service is disabled. | |
| The <html:code xmlns:html="http://www.w3.org/1999/xhtml">debug-shell</html:code> service can be disabled with the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo systemctl disable debug-shell.service</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This prevents attackers with physical access from trivially bypassing security | |
| on the machine through valid troubleshooting configurations and gaining root | |
| access when the system is rebooted.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Require Authentication for Single User Mode</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Single-user mode is intended as a system recovery | |
| method, providing a single user root access to the system by | |
| providing a boot option at startup. By default, no authentication | |
| is performed if single-user mode is selected. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| By default, single-user mode is protected by requiring a password and is set | |
| in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/lib/systemd/system/rescue.service</html:code>.</description> | |
| <reference href="">1.4.3</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">010481</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This prevents attackers with physical access from trivially bypassing security | |
| on the machine and gaining root access. Such accesses are further prevented | |
| by configuring the bootloader password.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-require_singleuser_auth:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-require_singleuser_auth_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_grub_legacy_disable_interactive_boot" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Interactive Boot</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable the ability for users to perform interactive startups, perform both | |
| of the following: | |
| <html:ol xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Edit the file <html:code>/etc/sysconfig/init</html:code>. Add or correct the line: | |
| <html:pre>PROMPT=no</html:pre></html:li><html:li>Inspect the kernel boot arguments (which follow the word <html:code>kernel</html:code>) | |
| in <html:code>/etc/grub.conf</html:code> and ensure the <html:code>confirm</html:code> argument is <html:b>not</html:b> | |
| present.</html:li></html:ol> | |
| Both the <html:code xmlns:html="http://www.w3.org/1999/xhtml">PROMPT</html:code> option of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/init</html:code> file and | |
| the <html:code xmlns:html="http://www.w3.org/1999/xhtml">confirm</html:code> kernel boot argument of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code> file | |
| allow the console user to perform an interactive system startup, in which it is | |
| possible to select the set of services which are started on boot.</description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Using interactive boot, the console user could disable auditing, firewalls, or | |
| other services, weakening system security.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-grub_legacy_disable_interactive_boot_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_accounts-session"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user logs into a Unix account, the system | |
| configures the user's session by reading a number of files. Many of | |
| these files are located in the user's home directory, and may have | |
| weak permissions as a result of user error or misconfiguration. If | |
| an attacker can modify or even read certain types of account | |
| configuration information, they can often gain full access to the | |
| affected user's account. Therefore, it is important to test and | |
| correct configuration file permissions for interactive accounts, | |
| particularly those of privileged users such as root or system | |
| administrators.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum login attempts delay</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum time in seconds between fail login attempts before re-prompting.</description> | |
| <value selector="1">1</value> | |
| <value selector="2">2</value> | |
| <value selector="3">3</value> | |
| <value selector="4">4</value> | |
| <value selector="5">5</value> | |
| <value>4</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum concurrent login sessions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum number of concurrent sessions by a user</description> | |
| <value selector="1">1</value> | |
| <value selector="10">10</value> | |
| <value selector="15">15</value> | |
| <value selector="20">20</value> | |
| <value selector="3">3</value> | |
| <value selector="5">5</value> | |
| <value>1</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_tmout" type="number"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Account Inactivity Timeout (minutes)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In an interactive shell, the value is interpreted as the | |
| number of seconds to wait for input after issueing the primary prompt. | |
| Bash terminates after waiting for that number of seconds if input does | |
| not arrive.</description> | |
| <value selector="10_min">600</value> | |
| <value selector="15_min">900</value> | |
| <value selector="5_min">300</value> | |
| <value>600</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_root_paths"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The active path of the root account can be obtained by | |
| starting a new root shell and running: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># echo $PATH</html:pre> | |
| This will produce a colon-separated list of | |
| directories in the path. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Certain path elements could be considered dangerous, as they could lead | |
| to root executing unknown or | |
| untrusted programs, which could contain malicious | |
| code. | |
| Since root may sometimes work inside | |
| untrusted directories, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character, which represents the | |
| current directory, should never be in the root path, nor should any | |
| directory which can be written to by an unprivileged or | |
| semi-privileged (system) user. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| It is a good practice for administrators to always execute | |
| privileged commands by typing the full path to the | |
| command.</description> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Root's Path Does Not Include World or Group-Writable Directories</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">For each element in root's path, run: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -ld <html:i>DIR</html:i></html:pre> | |
| and ensure that write permissions are disabled for group and | |
| other.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Such entries increase the risk that root could | |
| execute code provided by unprivileged users, | |
| and potentially malicious code.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_root_path_dirs_no_write" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="medium" strategy="restrict">- name: "Fail if user is not root" | |
| fail: | |
| msg: 'Root account required to read root $PATH' | |
| when: ansible_user != "root" | |
| tags: | |
| - accounts_root_path_dirs_no_write | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-6(b) | |
| - name: "Get root paths which are not symbolic links" | |
| shell: 'tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d' | |
| changed_when: False | |
| failed_when: False | |
| register: root_paths | |
| when: ansible_user == "root" | |
| check_mode: no | |
| tags: | |
| - accounts_root_path_dirs_no_write | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-6(b) | |
| - name: "Disable writability to root directories" | |
| file: | |
| path: "{{item}}" | |
| mode: "g-w,o-w" | |
| with_items: "{{ root_paths.stdout_lines }}" | |
| when: root_paths.stdout_lines is defined | |
| tags: | |
| - accounts_root_path_dirs_no_write | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - medium_disruption | |
| - NIST-800-53-CM-6(b) | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-accounts_root_path_dirs_no_write:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_root_path_no_dot" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that none of the directories in root's path is equal to a single | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character, or | |
| that it contains any instances that lead to relative path traversal, such as | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">..</html:code> or beginning a path without the slash (<html:code xmlns:html="http://www.w3.org/1999/xhtml">/</html:code>) character. | |
| Also ensure that there are no "empty" elements in the path, such as in these examples: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PATH=:/bin | |
| PATH=/bin: | |
| PATH=/bin::/sbin</html:pre> | |
| These empty elements have the same effect as a single <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character.</description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Including these entries increases the risk that root could | |
| execute code from an untrusted location.</rationale> | |
| </Rule> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_user_umask"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask setting controls the default permissions | |
| for the creation of new files. | |
| With a default <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> setting of 077, files and directories | |
| created by users will not be readable by any other user on the | |
| system. Users who wish to make specific files group- or | |
| world-readable can accomplish this by using the chmod command. | |
| Additionally, users can make all their files readable to their | |
| group by default by setting a <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> of 027 in their shell | |
| configuration files. If default per-user groups exist (that is, if | |
| every user has a default group whose name is the same as that | |
| user's username and whose only member is the user), then it may | |
| even be safe for users to select a <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> of 007, making it very | |
| easy to intentionally share files with groups of which the user is | |
| a member. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/></description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_accounts_user_umask" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Sensible umask</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter default user umask</description> | |
| <value selector="007">007</value> | |
| <value selector="022">022</value> | |
| <value selector="027">027</value> | |
| <value selector="077">077</value> | |
| <value>027</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure the Default Umask is Set Correctly in /etc/profile</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the default umask controlled by <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/profile</html:code> is set properly, | |
| add or correct the <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/profile</html:code> to read as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">umask <sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></description> | |
| <reference href="">5.4.4</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
| A misconfigured umask value could result in files with excessive permissions that can be read or | |
| written to by unauthorized users.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_umask_etc_profile_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure the Default Umask is Set Correctly in login.defs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the default umask controlled by <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> is set properly, | |
| add or correct the <html:code xmlns:html="http://www.w3.org/1999/xhtml">UMASK</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> to read as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">UMASK <sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00228</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
| A misconfigured umask value could result in files with excessive permissions that can be read and | |
| written to by unauthorized users.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_umask_etc_login_defs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_user_umask # promote to variable | |
| set_fact: | |
| var_accounts_user_umask: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure the Default UMASK is Set Correctly | |
| lineinfile: | |
| create: yes | |
| dest: /etc/login.defs | |
| regexp: ^UMASK | |
| line: "UMASK {{ var_accounts_user_umask }}" | |
| tags: | |
| - accounts_umask_etc_login_defs | |
| - unknown_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-CM-6(b) | |
| - NIST-800-53-SA-8 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_home_dirs" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">For each human user of the system, view the | |
| permissions of the user's home directory: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -ld /home/<html:i>USER</html:i></html:pre> | |
| Ensure that the directory is not group-writable and that it | |
| is not world-readable. If necessary, repair the permissions: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod g-w /home/<html:i>USER</html:i> | |
| # chmod o-rwx /home/<html:i>USER</html:i></html:pre></description> | |
| <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="functionality">This action may involve modifying user home directories. | |
| Notify your user community, and solicit input if appropriate, | |
| before making this type of change.</warning> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(7)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">User home directories contain many configuration files which | |
| affect the behavior of a user's account. No user should ever have | |
| write permission to another user's home directory. Group shared | |
| directories can be configured in sub-directories or elsewhere in the | |
| filesystem if they are needed. Typically, user home directories | |
| should not be world-readable, as it would disclose file names | |
| to other users. If a subset of users need read access | |
| to one another's home directories, this can be provided using | |
| groups or ACLs.</rationale> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-content-ref name="oval:ssg-file_permissions_home_dirs:def:1" href="ssg-fedora-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="false" severity="low"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the Number of Concurrent Login Sessions Allowed Per User</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limiting the number of allowed users and sessions per user can limit risks related to Denial of | |
| Service attacks. This addresses concurrent sessions for a single account and does not address | |
| concurrent sessions by a single user via multiple accounts. To set the number of concurrent | |
| sessions per user add the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</html:code>: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">* hard maxlogins <sub idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/></html:pre></description> | |
| <reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</reference> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000027-GPOS-00008</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limiting simultaneous user logins can insulate the system from denial of service | |
| problems caused by excessive logins. Automated login processes operating improperly or | |
| maliciously may result in an exceptional number of simultaneous login sessions.</rationale> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="accounts_max_concurrent_login_sessions" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="restrict">- name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable | |
| set_fact: | |
| var_accounts_max_concurrent_login_sessions: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/> | |
| tags: | |
| - always | |
| - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" | |
| lineinfile: | |
| state: present | |
| dest: /etc/security/limits.conf | |
| insertbefore: "^# End of file" | |
| regexp: "^#?\\*.*maxlogins" | |
| line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" | |
| tags: | |
| - accounts_max_concurrent_login_sessions | |
| - low_severity | |
| - restrict_strategy | |
| - low_complexity | |
| - low_disruption | |
| - NIST-800-53-AC-10 | |
| - CJIS-5.5.2.2 | |
| </fix> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" selected="false" severity="unknown"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure the Logon Failure Delay is Set Correctly in login.defs</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the logon failure delay controlled by <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> is set properly, | |
| add or correct the <html:code xmlns:html="http://www.w3.org/1999/xhtml">FAIL_DELAY</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> to read as follows: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" xmlns="http://checklists.nist.gov/xccdf/1.2">FAIL_DELAY <sub idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" use="legacy"/></html:pre></description> | |
| <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</reference> | |
| <reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00226</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Increasing the time between a failed authentication attempt and re-prompting to | |
| enter credentials helps to slow a single-threaded brute force attack.</rationale> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-accounts_logon_fail_delay_ocil:questionnaire:1" href="ssg-fedora-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_selinux"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux is a feature of the Linux kernel which can be | |
| used to guard against misconfigured or compromised programs. | |
| SELinux enforces the idea that programs should be limited in what | |
| files they can access and what actions they can take. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The default SELinux policy, as configured on Fedora, has been | |
| sufficiently developed and debugged that it should be usable on | |
| almost any Red Hat system with minimal configuration and a small | |
| amount of system administrator training. This policy prevents | |
| system services - including most of the common network-visible | |
| services such as mail servers, FTP servers, and DNS servers - from | |
| accessing files which those services have no valid reason to | |
| access. This action alone prevents a huge amount of possible damage | |
| from network attacks against services, from trojaned software, and | |
| so forth. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This guide recommends that SELinux be enabled using the | |
| default (targeted) policy on every Red Hat system, unless that | |
| system has unusual requirements which make a stronger policy | |
| appropriate.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinux_policy_name" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux policy</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Type of policy in use. Possible values are: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>targeted - Only targeted network daemons are protected. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>strict - Full SELinux protection. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>mls - Multiple levels of security</description> | |
| <value>targeted</value> | |
| <value selector="mls">mls</value> | |
| <value selector="targeted">targeted</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinux_state" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux state</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">enforcing - SELinux security policy is enforced. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>permissive - SELinux prints warnings instead of enforcing. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>disabled - SELinux is fully disabled.</description> | |
| <value>enforcing</value> | |
| <value selector="disabled">disabled</value> | |
| <value selector="enforcing">enforcing</value> | |
| <value selector="permissive">permissive</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_selinux-booleans"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux - Booleans</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable or Disable runtime customization of SELinux system policies | |
| without having to reload or recompile the SELinux policy.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_boinc_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">boinc_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_load_libgfapi" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_load_libgfapi SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">lsmd_plugin_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_deny_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">deny_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_exec_bootloader" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_exec_bootloader SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_abrt_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">abrt_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_docker_transition_unconfined" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">docker_transition_unconfined SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftp_home_dir" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftp_home_dir SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_nfs_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_nfs_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cron_userdomain_transition" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cron_userdomain_transition SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_guest_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">guest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tor_can_network_relay" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tor_can_network_relay SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_mod_auth_pam SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zarafa_setrlimit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_domain_kernel_load_modules" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">domain_kernel_load_modules SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_use_ssh_chroot SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zoneminder_run_sudo" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zoneminder_run_sudo SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_memcache SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_icecast_use_any_tcp_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">icecast_use_any_tcp_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_exim_read_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">exim_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_authlogin_radius" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">authlogin_radius SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cron_system_cronjob_use_shares" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cron_system_cronjob_use_shares SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pcp_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pcp_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_login_console_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">login_console_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_fusefs_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_fusefs_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_unified" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_unified SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_use_bluetooth" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_use_bluetooth SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tftp_home_dir" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tftp_home_dir SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_ssi_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_telepathy_connect_all_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">telepathy_connect_all_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_exim_manage_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">exim_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_transition_userdomain" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_transition_userdomain SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_spice" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_use_spice SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gpg_web_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gpg_web_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_daemons_use_tty" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">daemons_use_tty SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_haproxy_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">haproxy_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_audit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_audit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_glance_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">glance_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_prosody_bind_http_port" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">prosody_bind_http_port SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_can_rsync" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_can_rsync SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_transmit_client_label SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_session_users" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_session_users SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mcelog_foreground" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mcelog_foreground SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_staff_use_svirt" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">staff_use_svirt SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_read_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_read_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_share_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_share_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">condor_tcp_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_samba" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sanlock_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">antivirus_can_scan_system SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logwatch_can_network_connect_mail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logwatch_can_network_connect_mail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pppd_can_insmod" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pppd_can_insmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ksmtuned_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_cgi_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_cgi_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xend_run_qemu" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xend_run_qemu SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xserver_clients_write_xshm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xserver_clients_write_xshm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_gpg" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_gpg SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_run_nagios_plugins" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logging_syslogd_run_nagios_plugins SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logrotate_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logrotate_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gluster_export_all_rw" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gluster_export_all_rw SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_share_music" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_share_music SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_users_ddl" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_users_ddl SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ksmtuned_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polyinstantiation_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mysql_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mysql_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_domain_fd_use" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">domain_fd_use SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_dbus_avahi" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_dbus_avahi SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sanlock_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_read_qemu_ga_data" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_read_qemu_ga_data SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mailman_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mailman_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mmap_low_allowed" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mmap_low_allowed SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_kdumpgui_run_bootloader" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">kdumpgui_run_bootloader SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_smartmon_3ware" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">smartmon_3ware SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_mythtv" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_connect_mythtv SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nagios_run_sudo" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nagios_run_sudo SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_setrlimit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_setrlimit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_mysql_connect_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_mysql_connect_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mpd_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fenced_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_connect_all_unreserved" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_connect_all_unreserved SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_tmp_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">spamd_enable_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_share_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_share_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_antivirus_use_jit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">antivirus_use_jit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dbadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dbadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dhcpc_exec_iptables SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_authlogin_nsswitch_use_ldap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">authlogin_nsswitch_use_ldap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_run_preupgrade" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_run_preupgrade SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_dontaudit_search_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_system_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_system_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">saslauthd_read_shadow SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_irc_use_any_tcp_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">irc_use_any_tcp_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_minidlna_read_generic_user_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minidlna_read_generic_user_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logging_syslogd_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_create_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_create_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zabbix_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zabbix_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_session_users" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_session_users SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nscd_use_shm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nscd_use_shm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_execheap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_sasl" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_sasl SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cobbler_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cobbler_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xend_run_blktap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xend_run_blktap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_session_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_run_stickshift" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_run_stickshift SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_enable_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_enable_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_telepathy_tcp_connect_generic_network_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">telepathy_tcp_connect_generic_network_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_puppetagent_manage_all_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">puppetagent_manage_all_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cluster_use_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cluster_use_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cdrecord_read_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cdrecord_read_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_webadm_manage_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">webadm_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_passive_mode" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_passive_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_webadm_read_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">webadm_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_sanlock" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_sanlock SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_connect_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_connect_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mount_anyfile" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mount_anyfile SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nfs_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nfs_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nagios_run_pnp4nagios SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_unprivuser_use_svirt" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">unprivuser_use_svirt SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ssh_keysign" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ssh_keysign SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nis_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nis_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_connect_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_write_home" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_write_home SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_relay SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zebra_write_config" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zebra_write_config SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_udp_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_udp_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">puppetmaster_use_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_sendmail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_session_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_session_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_unconfined_dbadm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_unconfined_dbadm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_ping SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_varnishd_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">varnishd_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_openvpn_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">openvpn_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_rw_noexattrfile" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_rw_noexattrfile SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</va |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment