This patch updates the STIG XML to version 1 release 2.
The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.
Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
<title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title>
<description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description>
<noticeid="terms-of-use"xml:lang="en"/>
@ -9,7 +9,7 @@
<dc:publisher>DISA</dc:publisher>
<dc:source>STIG.DOD.MIL</dc:source>
</reference>
<plain-textid="release-info">Release: 1 Benchmark Date: 27 Feb 2017</plain-text>
<title>The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.</title>
<description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
<fixtextfixref="F-78243r4_fix">Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
<fixtextfixref="F-78243r5_fix">Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
# touch /etc/dconf/db/local.d/00-screensaver
Edit “org/gnome/desktop/session” and add or update the following lines:
# Set the lock time out to 900 seconds before the session is considered idle
idle-delay=uint32 900
Edit "org/gnome/desktop/screensaver" and add or update the following lines:
# Set this to true to lock the screen when the screensaver activates
lock-enabled=true
# Set the lock timeout to 180 seconds after the screensaver has been activated
lock-delay=uint32 180
You must include the "uint32" along with the integer key values as shown.
Override the user's setting and prevent the user from changing it by editing “/etc/dconf/db/local.d/locks/screensaver” and adding or updating the following lines:
@ -2545,7 +2527,7 @@ Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect.</fixtext>
<check-content>Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.
@ -2564,7 +2546,7 @@ If the "lock-enabled" setting is missing or is not set to "true", this is a find
<title>The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.</title>
<description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
@ -2578,27 +2560,20 @@ The session lock is implemented at the point where session activity can be deter
<fixtextfixref="F-78245r3_fix">Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
<fixtextfixref="F-78245r4_fix">Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
# touch /etc/dconf/db/local.d/00-screensaver
Edit “org/gnome/desktop/session” and add or update the following lines:
Edit "/org/gnome/desktop/session" and add or update the following lines:
# Set the lock time out to 900 seconds before the session is considered idle
idle-delay=uint32 900
Edit "org/gnome/desktop/screensaver" and add or update the following lines:
# Set this to true to lock the screen when the screensaver activates
lock-enabled=true
# Set the lock timeout to 180 seconds after the screensaver has been activated
lock-delay=uint32 180
You must include the "uint32" along with the integer key values as shown.
Override the user's setting and prevent the user from changing it by editing “/etc/dconf/db/local.d/locks/screensaver” and adding or updating the following lines:
Override the user's setting and prevent the user from changing it by editing "/etc/dconf/db/local.d/locks/screensaver" and adding or updating the following lines:
# Lock desktop screensaver settings
/org/gnome/desktop/session/idle-delay
@ -2610,7 +2585,7 @@ Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect.</fixtext>
<check-content>Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
@ -2844,7 +2819,7 @@ If the value of "ucredit" is not set to a negative value, this is a finding.</ch
<title>When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.</title>
<description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@ -2858,18 +2833,12 @@ Password complexity is one factor of several that determines how long it takes t
<fixtextfixref="F-78257r4_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
<fixtextfixref="F-78257r5_fix">Configure the operating system to require at least one lower-case character when passwords are changed or new passwords are established.
Modify the first three lines of the "auth" section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
Note: RHEL 7.3 and later allows for a value of “never” for "unlock_time". This is an acceptable value but should be used with caution if availability is a concern.
<check-content>Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
@ -3848,7 +3817,7 @@ If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is c
<title>Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title>
<description><VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -3882,11 +3851,11 @@ Generate a new "grub.conf" file with the new password with the following command
<check-content>If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.
@ -4375,11 +4342,10 @@ Verify the operating system disables the ability to use USB mass storage devices
Check to see if USB mass storage is disabled with the following command:
#grep -i usb-storage /etc/modprobe.d/*
# grep usb-storage /etc/modprobe.d/blacklist.conf
blacklist usb-storage
install usb-storage /bin/true
If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content>
If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content>
</check>
</Rule>
</Group>
@ -4985,7 +4951,7 @@ If any home directories referenced in "/etc/passwd" are returned as not defined,
<title>All local interactive user home directories must have mode 0750 or less permissive.</title>
<description><VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -5003,7 +4969,7 @@ Note: The example will be for the user "smithj".
<check-content>Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
@ -5011,7 +4977,7 @@ Check the home directory assignment for all non-privileged users on the system w
Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content>
@ -5021,7 +4987,7 @@ If home directories referenced in "/etc/passwd" do not have a mode of "0750" or
<title>All local interactive user home directories must be owned by their respective users.</title>
<description><VulnDiscussion>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -5039,7 +5005,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom
<check-content>Verify the assigned home directory of all local interactive users on the system exists.
@ -5047,7 +5013,7 @@ Check the home directory assignment for all local interactive non-privileged use
Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.</check-content>
@ -5057,7 +5023,7 @@ If any home directories referenced in "/etc/passwd" are returned as not defined,
<title>All local interactive user home directories must be group-owned by the home directory owners primary group.</title>
<description><VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -5075,7 +5041,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h
<check-content>Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID.
@ -5083,7 +5049,7 @@ Check the home directory assignment for all non-privileged users on the system w
Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
Check the user's primary group with the following command:
@ -5564,7 +5530,7 @@ If a file system found in "/etc/fstab" refers to NFS and it does not have the "n
<title>All world-writable directories must be group-owned by root, sys, bin, or an application group.</title>
<description><VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.
@ -5582,7 +5548,7 @@ The only authorized public directories are those temporary directories supplied
<title>If the cron.allow file exists it must be owned by root.</title>
<description><VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -5705,13 +5671,13 @@ If the entry is in the "/etc/rsyslog.conf" file but is after the entry "*.*", th
<title>The system must use a separate file system for the system audit data path.</title>
<description><VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -5879,35 +5845,18 @@ If a separate entry for "/var" is not in use, this is a finding.</check-content>
<check-content>Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
<check-content>Verify that a separate file system/partition has been created for the system audit data path.
Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.
Check that a file system/partition has been created for the system audit data path with the following command:
Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
# grep /var/log/audit /etc/fstab
UUID=3645951a /var/log/audit ext4 defaults 1 2
# yum list installed aide
If a separate entry for /var/log/audit does not exist, ask the System Administrator (SA) if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition.
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
If there is no application installed to perform file integrity checks, this is a finding.
Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
Use the following command to determine if the file is in another location:
# find / -name aide.conf
Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists.
An example rule that includes the "sha512" rule follows:
All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
/bin All # apply the custom rule to the files in bin
/sbin All # apply the same custom rule to the files in sbin
If the "sha512" rule is not being used on all selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content>
If a separate file system/partition does not exist for the system audit data path, this is a finding.</check-content>
</check>
</Rule>
</Group>
@ -6619,7 +6568,7 @@ If the value of the "action_mail_acct" keyword is not set to "root" and other ac
<title>All privileged function executions must be audited.</title>
<description><VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -6631,7 +6580,7 @@ If the value of the "action_mail_acct" keyword is not set to "root" and other ac
<fixtextfixref="F-78447r4_fix">Configure the operating system to audit the execution of privileged functions.
<fixtextfixref="F-78447r5_fix">Configure the operating system to audit the execution of privileged functions.
To find the relevant "setuid"/"setgid" programs, run the following command for each local partition [PART]:
@ -6639,8 +6588,8 @@ To find the relevant "setuid"/"setgid" programs, run the following command for e
For each "setuid"/"setgid" program on the system, which is not covered by an audit rule for a (sub) directory (such as "/usr/sbin"), add a line of the following form to "/etc/audit/audit.rules", where <suid_prog_with_full_path> is the full path to each "setuid"/"setgid" program in the list:
<title>All uses of the pt_chown command must be audited.</title>
<description><VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
<fixtextfixref="F-78535r3_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pt_chown" command occur.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
<title>The SSH daemon must not allow authentication using RSA rhosts authentication.</title>
<description><VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -9882,25 +9788,24 @@ If "ClientAliveInterval" is not set to "600" in "/etc/ ssh/sshd_config", and a l
<title>The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.</title>
<description><VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
@ -10508,12 +10413,16 @@ This requirement addresses the configuration of the operating system to mitigate
<check-content>Verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
@ -10591,7 +10500,7 @@ If "firewalld" does not show a state of "running", this is a finding.</check-con
<title>The system must display the date and time of the last successful account logon upon logon.</title>
<description><VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
@ -10609,17 +10518,21 @@ Add the following line to the top of "/etc/pam.d/postlogin-ac":
<check-content>Verify users are provided with feedback on when account accesses last occurred.
Check that "pam_lastlog" is used and not silent with the following command:
# grep pam_lastlog /etc/pam.d/postlogin-ac
session required pam_lastlog.so showfailed
session required pam_lastlog.so showfailed silent
If the "silent" option is present with "pam_lastlog" check the sshd configuration file.
If "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present on the line check for the "PrintLastLog" keyword in the sshd daemon configuration file, this is a finding.</check-content>
# grep -i printlastlog /etc/ssh/sshd_config
PrintLastLog yes
If "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present and PrintLastLog is missing from or set to "no" in the "/etc/ssh/sshd_config" file this is a finding.</check-content>
</check>
</Rule>
</Group>
@ -11968,7 +11881,7 @@ If the command does not return a line, or the line is commented out, this is a f
<title>The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title>
<description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@ -11985,23 +11898,23 @@ Audit records can be generated from various components within the information sy
<fixtextfixref="F-79619r4_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
<fixtextfixref="F-79619r5_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
-w /etc/opasswd -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
The audit daemon must be restarted for the changes to take effect.</fixtext>
<check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
Check the auditing rules in "/etc/audit/rules.d/audit.rules" with the following command:
Major Hayden