From c0cd993c6918369afba2456b20126baf523cbf09 Mon Sep 17 00:00:00 2001 From: willtome Date: Mon, 11 Dec 2023 15:27:14 -0500 Subject: [PATCH] Random Bug fixes (#103) Co-authored-by: youtous --- .github/workflows/ansible-lint.yml | 17 - .github/workflows/linter.yml.old | 50 -- .github/workflows/pre-commit.yml | 17 + .pre-commit-config.yaml | 2 +- CONTRIBUTING.md | 19 +- README.md | 4 +- ansible.cfg | 4 +- cloud/README.md | 2 +- .../aws/templates/aws_windows_userdata.j2 | 2 +- .../roles/iosxeSTIG/defaults/main.yml | 4 +- ...S-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml | 198 ++++---- ...S-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml | 338 +++++++------- .../U_RHEL_7_STIG_V3R10_Manual-xccdf.xml | 426 +++++++++--------- .../files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml | 382 ++++++++-------- ...ows_Server_2022_STIG_V1R1_Manual-xccdf.xml | 242 +++++----- .../patching/plugins/modules/scan_packages.py | 50 +- .../patching/plugins/modules/scan_services.py | 169 ++++--- .../plugins/modules/win_scan_packages.ps1 | 2 +- .../plugins/modules/win_scan_packages.py | 47 +- .../plugins/modules/win_scan_services.ps1 | 2 +- .../plugins/modules/win_scan_services.py | 45 +- .../roles/build_report_network/README.md | 4 +- .../roles/build_report_network/vars/main.yml | 6 +- .../roles/build_report_windows/README.md | 4 +- .../build_report_windows/defaults/main.yml | 2 +- .../build_report_windows/files/css/new.css | 52 +-- .../build_report_windows/templates/header.j2 | 4 +- .../templates/packages.j2 | 2 +- .../build_report_windows/templates/report.j2 | 2 +- .../templates/services.j2 | 2 +- .../roles/build_report_windows/vars/main.yml | 2 +- .../build_report_windows_patch/README.md | 4 +- .../defaults/main.yml | 6 +- .../files/css/main.css | 42 +- .../templates/report.j2 | 2 +- .../build_report_windows_patch/vars/main.yml | 2 +- .../roles/patch_linux/defaults/main.yml | 4 +- .../roles/patch_windows/defaults/main.yml | 4 +- .../patching/roles/report_linux/README.md | 4 +- .../roles/report_linux/defaults/main.yml | 2 +- .../roles/report_linux/files/css/new.css | 52 +-- .../roles/report_linux/templates/header.j2 | 4 +- .../roles/report_linux/templates/packages.j2 | 2 +- .../roles/report_linux/templates/report.j2 | 2 +- .../roles/report_linux/templates/services.j2 | 2 +- .../patching/roles/report_linux/vars/main.yml | 2 +- .../roles/report_linux_patching/README.md | 4 +- .../report_linux_patching/defaults/main.yml | 6 +- .../report_linux_patching/files/css/main.css | 42 +- .../report_linux_patching/templates/report.j2 | 2 +- .../roles/report_linux_patching/vars/main.yml | 2 +- .../roles/report_server/files/css/new.css | 50 +- .../roles/report_server/templates/header.j2 | 4 +- .../report_server/templates/linux_report.j2 | 4 +- .../report_server/templates/windows_report.j2 | 4 +- .../roles/report_server/vars/Linux.yml | 4 +- .../roles/report_server/vars/Win32NT.yml | 4 +- .../patching/roles/report_windows/README.md | 4 +- .../roles/report_windows/defaults/main.yml | 2 +- .../roles/report_windows/files/css/new.css | 52 +-- .../roles/report_windows/templates/header.j2 | 4 +- .../report_windows/templates/packages.j2 | 2 +- .../roles/report_windows/templates/report.j2 | 2 +- .../report_windows/templates/services.j2 | 2 +- .../roles/report_windows/vars/main.yml | 2 +- .../roles/report_windows_patching/README.md | 4 +- .../report_windows_patching/defaults/main.yml | 6 +- .../files/css/main.css | 42 +- .../templates/report.j2 | 2 +- .../report_windows_patching/vars/main.yml | 2 +- .../roles/register_host/defaults/main.yml | 8 +- .../roles/register_host/vars/RedHat7.yml | 2 +- .../roles/register_host/vars/RedHat8.yml | 2 +- .../roles/scap_client/defaults/main.yaml | 24 +- .../templates/openscap_client_config.yaml.j2 | 2 +- linux/compliance_profiles.md | 1 - openshift/README.md | 2 +- openshift/gitlab.yml | 26 +- openshift/setup.yml | 1 - windows/backup.yml | 4 +- windows/create_ad_domain.yml | 19 +- 81 files changed, 1302 insertions(+), 1277 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml delete mode 100644 .github/workflows/linter.yml.old create mode 100644 .github/workflows/pre-commit.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 749efa904..000000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Ansible Lint -on: - - push - - pull_request_target - -env: - ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }} - -jobs: - build: - name: Ansible Lint - runs-on: ubuntu-latest - steps: - # this action implicitly calls actions/checkout - - name: Run ansible-lint - uses: ansible/ansible-lint@v6.18.0 diff --git a/.github/workflows/linter.yml.old b/.github/workflows/linter.yml.old deleted file mode 100644 index 7b24f2cfa..000000000 --- a/.github/workflows/linter.yml.old +++ /dev/null @@ -1,50 +0,0 @@ ---- -########################### -########################### -## Linter GitHub Actions ## -########################### -########################### -name: Lint Code Base - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Lint Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v2 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 000000000..4f4206469 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,17 @@ +--- +name: pre-commit +on: + - push + - pull_request_target + +env: + ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }} + +jobs: + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v3 + - uses: pre-commit/action@v3.0.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d6f431d67..1f0b27b84 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ repos: - id: trailing-whitespace - repo: https://github.com/ansible/ansible-lint.git # get latest release tag from https://github.com/ansible/ansible-lint/releases/ - rev: v6.18.0 + rev: v6.20.3 hooks: - id: ansible-lint additional_dependencies: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3a54deec7..adcbbabf9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -54,6 +54,21 @@ This document aims to outline the requirements for the various forms of contribu 3) Include a README.md in the subdirectory ## Testing -To run `ansible-lint` you will need to set an environment variable for the token to connect to Automation Hub. You can get a token from [here](https://console.redhat.com/ansible/automation-hub/token). -Copy the value of the token and run `export ANSIBLE_GALAXY_SERVER_AH_TOKEN=` +We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI. + +To install pre-commit, use the following commands: +```bash +pip install pre-commit +pre-commit install +``` + +For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation). + +To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token). + +Copy the token value and execute the following command: + +```bash +export ANSIBLE_GALAXY_SERVER_AH_TOKEN= +``` diff --git a/README.md b/README.md index 376c9827a..3af4accac 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account. 1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project. - + 1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token` 2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL. 3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click **Save**!! @@ -34,7 +34,7 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos 2. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project. 3. Finally, Create a Job Template called `Setup` with the following configuration: - + - Name: Setup - Inventory: Demo Inventory - Exec Env: Control Plane EE diff --git a/ansible.cfg b/ansible.cfg index 321f02ae1..caef7b00a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -6,7 +6,9 @@ roles_path=./roles server_list = ah,galaxy [galaxy_server.ah] -#url=https://cloud.redhat.com/api/automation-hub/ +# Grab a token at https://console.redhat.com/ansible/automation-hub/token +# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN="" + url=https://console.redhat.com/api/automation-hub/content/published/ auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token diff --git a/cloud/README.md b/cloud/README.md index 7ef5e410d..9f45b0e4e 100644 --- a/cloud/README.md +++ b/cloud/README.md @@ -66,4 +66,4 @@ After running the setup job template, there are a few steps required to make the **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances. ## Known Issues -Azure does not work without a custom execution environment that includes the Azure dependencies. \ No newline at end of file +Azure does not work without a custom execution environment that includes the Azure dependencies. diff --git a/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 b/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 index c4671f237..00e87c387 100644 --- a/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 +++ b/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 @@ -26,4 +26,4 @@ New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password Add-LocalGroupMember -Group "Administrators" -Member "ec2-user" Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml index c746ea4aa..dd62f5075 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml @@ -26,7 +26,7 @@ iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG) By using this IS (which includes any device attached to this IS), you consent to the following conditions: --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. @@ -36,7 +36,7 @@ counterintelligence (CI) investigations. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. --Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, +-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' # R-215815 CISC-ND-000210 diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml index 128c7c714..6696a6c4f 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml @@ -69,20 +69,20 @@ archive Note: Configuration changes can be viewed using the show archive log config all command. -If account removal is not automatically audited, this is a finding.SRG-APP-000038-NDM-000213<GroupDescription></GroupDescription>CISC-ND-000140The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. +If account removal is not automatically audited, this is a finding.SRG-APP-000038-NDM-000213<GroupDescription></GroupDescription>CISC-ND-000140The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96205SV-105343CCI-001368Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. -SW2(config)#ip access-list standard MANAGEMENT_NET -SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255 -SW2(config-std-nacl)#exit -SW2(config)#line vty 0 4 -SW2(config-line)#transport input ssh -SW2(config-line)#access-class MANAGEMENT_NET in +SW2(config)#ip access-list standard MANAGEMENT_NET +SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255 +SW2(config-std-nacl)#exit +SW2(config)#line vty 0 4 +SW2(config-line)#transport input ssh +SW2(config-line)#access-class MANAGEMENT_NET in SW2(config-line)#end -Review the Cisco router configuration to verify that it is compliant with this requirement. +Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. @@ -92,7 +92,7 @@ line vty 0 4 Step 2: Verify that the ACL permits only hosts from the management network to access the router. -ip access-list extended MANAGEMENT_NET +ip access-list extended MANAGEMENT_NET permit ip x.x.x.0 0.0.0.255 any deny ip any any log-input @@ -166,7 +166,7 @@ archive Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level. -If logging of administrator activity is not configured, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>CISC-ND-000250The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If logging of administrator activity is not configured, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>CISC-ND-000250The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96221SV-105359CCI-000172Configure the Cisco router to log all logon attempts as shown in the example below. @@ -193,7 +193,7 @@ R1(config-ext-nacl)#deny icmp any any log-inputSRG-APP-000101-NDM-000231<GroupDescription></GroupDescription>CISC-ND-000330The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.SRG-APP-000101-NDM-000231<GroupDescription></GroupDescription>CISC-ND-000330The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96227SV-105365CCI-000135Configure the Cisco router to log all configuration changes as shown in the example below. @@ -210,11 +210,11 @@ Note: Configuration changes can be viewed using the show archive log config all If the Cisco router is not configured to generate audit records of configuration changes, this is a finding.SRG-APP-000119-NDM-000236<GroupDescription></GroupDescription>CISC-ND-000380The Cisco router must be configured to protect audit information from unauthorized modification.<VulnDiscussion>Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity. -If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. +To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. -This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. +This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96231SV-105369CCI-000163If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. @@ -226,15 +226,15 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000120-NDM-000237<GroupDescription></GroupDescription>CISC-ND-000390The Cisco router must be configured to protect audit information from unauthorized deletion.<VulnDiscussion>Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. -If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. +To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96233SV-105371CCI-000164If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. @@ -246,7 +246,7 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. @@ -254,11 +254,11 @@ If the router is configured with a privilege level other than "15" to allow acce R4(config)#file privilege 15Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. -If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CISC-ND-000470The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.<VulnDiscussion>Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. +If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CISC-ND-000470The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.<VulnDiscussion>Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96239SV-105377CCI-000382Disable the following services if enabled as shown in the example below. @@ -312,7 +312,7 @@ aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.SRG-APP-000156-NDM-000250<GroupDescription></GroupDescription>CISC-ND-000530The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. -An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. +An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96249SV-105387CCI-001941Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below. @@ -324,7 +324,7 @@ Note: An SSH configuration enables a server and client to authorize the negotiat ip ssh version 2 ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr -Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established. +Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>CISC-ND-000550The Cisco router must be configured to enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. @@ -428,12 +428,12 @@ Performance and time required to access are factors that must be considered, and In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105403V-96265CCI-000196Configure the router to encrypt all passwords. -R4(config)#service password-encryption +R4(config)#service password-encryption R4(config)#endReview the router configuration to determine if passwords are encrypted as shown in the example below. service password-encryption -If the router is not configured to encrypt passwords, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CISC-ND-000720The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If the router is not configured to encrypt passwords, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CISC-ND-000720The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105409V-96271CCI-001133Set the idle timeout value to "10" minutes or less on all configured login classes as shown in the example below. @@ -490,7 +490,7 @@ archive Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level. -If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CISC-ND-000980The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. +If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CISC-ND-000980The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96297SV-105435CCI-001849Configure the buffer size for logging as shown in the example below. @@ -500,7 +500,7 @@ logging buffered xxxxxxxx informational If a logging buffer size is not configured, this is a finding. -If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>CISC-ND-001000The Cisco router must be configured to generate an alert for all audit failure events.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. +If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>CISC-ND-001000The Cisco router must be configured to generate an alert for all audit failure events.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96301SV-105439CCI-001858Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. @@ -514,7 +514,7 @@ logging x.x.x.x Note: The parameter "critical" can replaced with a lesser severity level (i.e. error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration. -If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CISC-ND-001030The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. +If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CISC-ND-001030The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. @@ -530,7 +530,7 @@ If the Cisco router is not configured to synchronize its clock with redundant au R2(config)#service timestamps log datetime localtimeReview the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. -service timestamps log datetime +service timestamps log datetime If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>CISC-ND-001050The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. @@ -562,7 +562,7 @@ R4(config)#snmp-server view V3READ iso included R4(config)#snmp-server view V3WRITE iso included R4(config)#snmp-server host x.x.x.x version 3 auth V3USERReview the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. -snmp-server group V3GROUP v3 auth read V3READ write V3WRITE +snmp-server group V3GROUP v3 auth read V3READ write V3WRITE snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server host x.x.x.x version 3 auth V3USER @@ -615,7 +615,7 @@ ntp server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.SRG-APP-000411-NDM-000330<GroupDescription></GroupDescription>CISC-ND-001200The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96327SV-105465CCI-002890The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured. @@ -638,7 +638,7 @@ ip ssh server algorithm mac hmac-sha1-96 HTTPS Example ip http secure-server -ip http secure-ciphersuite aes-128-cbc-sha +ip http secure-ciphersuite aes-128-cbc-sha ip http secure-client-auth ip http secure-trustpoint CA_XXX @@ -661,7 +661,7 @@ ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr HTTPS Example ip http secure-server -ip http secure-ciphersuite aes-128-cbc-sha +ip http secure-ciphersuite aes-128-cbc-sha ip http secure-client-auth ip http secure-trustpoint CA_XXX @@ -752,85 +752,85 @@ Step 4: Apply the policy map to the control plane. R1(config)#control-plane R1(config-cp)#service-policy input CONTROL_PLANE_POLICY -R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. +R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: -class-map match-all CoPP_CRITICAL -match access-group name CoPP_CRITICAL -class-map match-any CoPP_IMPORTANT -match access-group name CoPP_IMPORTANT -match protocol arp -class-map match-all CoPP_NORMAL -match access-group name CoPP_NORMAL -class-map match-any CoPP_UNDESIRABLE -match access-group name CoPP_UNDESIRABLE -class-map match-all CoPP_DEFAULT -match access-group name CoPP_DEFAULT +class-map match-all CoPP_CRITICAL +match access-group name CoPP_CRITICAL +class-map match-any CoPP_IMPORTANT +match access-group name CoPP_IMPORTANT +match protocol arp +class-map match-all CoPP_NORMAL +match access-group name CoPP_NORMAL +class-map match-any CoPP_UNDESIRABLE +match access-group name CoPP_UNDESIRABLE +class-map match-all CoPP_DEFAULT +match access-group name CoPP_DEFAULT Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: -ip access-list extended CoPP_CRITICAL -remark our control plane adjacencies are critical -permit ospf host [OSPF neighbor A] any -permit ospf host [OSPF neighbor B] any -permit pim host [PIM neighbor A] any -permit pim host [PIM neighbor B] any -permit pim host [RP addr] any -permit igmp any 224.0.0.0 15.255.255.255 -permit tcp host [BGP neighbor] eq bgp host [local BGP addr] -permit tcp host [BGP neighbor] host [local BGP addr] eq bgp -deny ip any any - -ip access-list extended CoPP_IMPORTANT -permit tcp host [TACACS server] eq tacacs any -permit tcp [management subnet] 0.0.0.255 any eq 22 -permit udp host [SNMP manager] any eq snmp -permit udp host [NTP server] eq ntp any -deny ip any any - -ip access-list extended CoPP_NORMAL -remark we will want to rate limit ICMP traffic -permit icmp any any echo -permit icmp any any echo-reply -permit icmp any any time-exceeded -permit icmp any any unreachable -deny ip any any - -ip access-list extended CoPP_UNDESIRABLE -remark other management plane traffic that should not be received -permit udp any any eq ntp +ip access-list extended CoPP_CRITICAL +remark our control plane adjacencies are critical +permit ospf host [OSPF neighbor A] any +permit ospf host [OSPF neighbor B] any +permit pim host [PIM neighbor A] any +permit pim host [PIM neighbor B] any +permit pim host [RP addr] any +permit igmp any 224.0.0.0 15.255.255.255 +permit tcp host [BGP neighbor] eq bgp host [local BGP addr] +permit tcp host [BGP neighbor] host [local BGP addr] eq bgp +deny ip any any + +ip access-list extended CoPP_IMPORTANT +permit tcp host [TACACS server] eq tacacs any +permit tcp [management subnet] 0.0.0.255 any eq 22 +permit udp host [SNMP manager] any eq snmp +permit udp host [NTP server] eq ntp any +deny ip any any + +ip access-list extended CoPP_NORMAL +remark we will want to rate limit ICMP traffic +permit icmp any any echo +permit icmp any any echo-reply +permit icmp any any time-exceeded +permit icmp any any unreachable +deny ip any any + +ip access-list extended CoPP_UNDESIRABLE +remark other management plane traffic that should not be received +permit udp any any eq ntp permit udp any any eq snmp -permit tcp any any eq 22 -permit tcp any any eq 23 -remark other control plane traffic not configured on router -permit eigrp any any -permit udp any any eq rip -deny ip any any +permit tcp any any eq 22 +permit tcp any any eq 23 +remark other control plane traffic not configured on router +permit eigrp any any +permit udp any any eq rip +deny ip any any -ip access-list extended CoPP_DEFAULT -permit ip any any +ip access-list extended CoPP_DEFAULT +permit ip any any -Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. +Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: -policy-map CONTROL_PLANE_POLICY -class CoPP_CRITICAL -police 512000 8000 conform-action transmit exceed-action transmit -class CoPP_IMPORTANT -police 256000 4000 conform-action transmit exceed-action drop -class CoPP_NORMAL -police 128000 2000 conform-action transmit exceed-action drop -class CoPP_UNDESIRABLE -police 8000 1000 conform-action drop exceed-action drop +policy-map CONTROL_PLANE_POLICY +class CoPP_CRITICAL +police 512000 8000 conform-action transmit exceed-action transmit +class CoPP_IMPORTANT +police 256000 4000 conform-action transmit exceed-action drop +class CoPP_NORMAL +police 128000 2000 conform-action transmit exceed-action drop +class CoPP_UNDESIRABLE +police 8000 1000 conform-action drop exceed-action drop class CoPP_DEFAULT -police 64000 1000 conform-action transmit exceed-action drop +police 64000 1000 conform-action transmit exceed-action drop Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: -control-plane -service-policy input CONTROL_PLANE_POLICY +control-plane +service-policy input CONTROL_PLANE_POLICY Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category. @@ -838,7 +838,7 @@ If the Cisco router is not configured to protect against known types of DoS atta Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105471V-96333CCI-000172Configure the Cisco router to generate log records when account privileges are modified as shown in the example below. -R4(config)#logging userinfo +R4(config)#logging userinfo R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable @@ -928,7 +928,7 @@ R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication LOGIN_AUTHENTICATION -R4(config-line)#exit +R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATIONReview the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: aaa new-model @@ -999,7 +999,7 @@ logging x.x.x.x Note: Default for sending log messages to the syslog server is informational (level 6); hence, the command logging trap informational will not be seen in the configuration. Level of log messages sent to the syslog server can be verified using the show logging command. -If the router is not configured to send log data to the syslog server, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CISC-ND-001470The Cisco router must be running an IOS release that is currently supported by Cisco Systems.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96369SV-105507CCI-000366Upgrade the router to a supported release.Verify that the router is in compliance with this requirement by having the router administrator enter the following command: +If the router is not configured to send log data to the syslog server, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CISC-ND-001470The Cisco router must be running an IOS release that is currently supported by Cisco Systems.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96369SV-105507CCI-000366Upgrade the router to a supported release.Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version @@ -1007,4 +1007,4 @@ Verify that the release is still supported by Cisco. All releases supported by C www.cisco.com/c/en/us/support/ios-nx-os-software -If the router is not running a supported release, this is a finding. \ No newline at end of file +If the router is not running a supported release, this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml index 4e9f33808..7abbcbf59 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml @@ -71,7 +71,7 @@ router bgp nn neighbor x.x.x.x remote-as nn neighbor x.x.x.x password xxxxxxx -Note: BGP authentication uses MD5 +Note: BGP authentication uses MD5 EIGRP Example: @@ -155,7 +155,7 @@ interface GigabitEthernet3 ! interface GigabitEthernet4 shutdown - + If an interface is not being used but is configured or enabled, this is a finding.SRG-NET-000131-RTR-000035<GroupDescription></GroupDescription>CISC-RT-000070The Cisco router must be configured to have all non-essential capabilities disabled.<VulnDiscussion>A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106005V-96867CCI-000381Disable the following services if enabled as shown in the example below: R2(config)#no boot network @@ -199,7 +199,7 @@ R2(config)#no cns config initial R2(config)#no cns exec R2(config)#no cns image R2(config)#no cns trusted-server config x.x.x.x -R2(config)#no cns trusted-server image x.x.x.xReview the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled. +R2(config)#no cns trusted-server image x.x.x.xReview the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled. Auto-configuration example: @@ -220,7 +220,7 @@ cns config initial x.x.x.x 80 cns exec 80 cns image -If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. +If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.SRG-NET-000362-RTR-000110<GroupDescription></GroupDescription>CISC-RT-000120The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.<VulnDiscussion>The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. @@ -307,92 +307,92 @@ Step 4: Apply the policy map to the control plane. R1(config)#control-plane R1(config-cp)#service-policy input CONTROL_PLANE_POLICY -R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. - -Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: - -class-map match-all CoPP_CRITICAL -match access-group name CoPP_CRITICAL -class-map match-any CoPP_IMPORTANT -match access-group name CoPP_IMPORTANT -match protocol arp -class-map match-all CoPP_NORMAL -match access-group name CoPP_NORMAL -class-map match-any CoPP_UNDESIRABLE -match access-group name CoPP_UNDESIRABLE -class-map match-all CoPP_DEFAULT -match access-group name CoPP_DEFAULT - -Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: - -ip access-list extended CoPP_CRITICAL -remark our control plane adjacencies are critical -permit ospf host [OSPF neighbor A] any -permit ospf host [OSPF neighbor B] any -permit pim host [PIM neighbor A] any -permit pim host [PIM neighbor B] any -permit pim host [RP addr] any -permit igmp any 224.0.0.0 15.255.255.255 -permit tcp host [BGP neighbor] eq bgp host [local BGP addr] -permit tcp host [BGP neighbor] host [local BGP addr] eq bgp -deny ip any any - -ip access-list extended CoPP_IMPORTANT -permit tcp host [TACACS server] eq tacacs any -permit tcp [management subnet] 0.0.0.255 any eq 22 -permit udp host [SNMP manager] any eq snmp -permit udp host [NTP server] eq ntp any -deny ip any any - -ip access-list extended CoPP_NORMAL -remark we will want to rate limit ICMP traffic -permit icmp any any echo -permit icmp any any echo-reply -permit icmp any any time-exceeded -permit icmp any any unreachable -deny ip any any - -ip access-list extended CoPP_UNDESIRABLE -remark other management plane traffic that should not be received -permit udp any any eq ntp +R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. + +Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: + +class-map match-all CoPP_CRITICAL +match access-group name CoPP_CRITICAL +class-map match-any CoPP_IMPORTANT +match access-group name CoPP_IMPORTANT +match protocol arp +class-map match-all CoPP_NORMAL +match access-group name CoPP_NORMAL +class-map match-any CoPP_UNDESIRABLE +match access-group name CoPP_UNDESIRABLE +class-map match-all CoPP_DEFAULT +match access-group name CoPP_DEFAULT + +Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: + +ip access-list extended CoPP_CRITICAL +remark our control plane adjacencies are critical +permit ospf host [OSPF neighbor A] any +permit ospf host [OSPF neighbor B] any +permit pim host [PIM neighbor A] any +permit pim host [PIM neighbor B] any +permit pim host [RP addr] any +permit igmp any 224.0.0.0 15.255.255.255 +permit tcp host [BGP neighbor] eq bgp host [local BGP addr] +permit tcp host [BGP neighbor] host [local BGP addr] eq bgp +deny ip any any + +ip access-list extended CoPP_IMPORTANT +permit tcp host [TACACS server] eq tacacs any +permit tcp [management subnet] 0.0.0.255 any eq 22 +permit udp host [SNMP manager] any eq snmp +permit udp host [NTP server] eq ntp any +deny ip any any + +ip access-list extended CoPP_NORMAL +remark we will want to rate limit ICMP traffic +permit icmp any any echo +permit icmp any any echo-reply +permit icmp any any time-exceeded +permit icmp any any unreachable +deny ip any any + +ip access-list extended CoPP_UNDESIRABLE +remark other management plane traffic that should not be received +permit udp any any eq ntp permit udp any any eq snmp -permit tcp any any eq 22 -permit tcp any any eq 23 -remark other control plane traffic not configured on router -permit eigrp any any -permit udp any any eq rip -deny ip any any - -ip access-list extended CoPP_DEFAULT -permit ip any any - -Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. - -Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: - -policy-map CONTROL_PLANE_POLICY -class CoPP_CRITICAL -police 512000 8000 conform-action transmit exceed-action transmit -class CoPP_IMPORTANT -police 256000 4000 conform-action transmit exceed-action drop -class CoPP_NORMAL -police 128000 2000 conform-action transmit exceed-action drop -class CoPP_UNDESIRABLE -police 8000 1000 conform-action drop exceed-action drop +permit tcp any any eq 22 +permit tcp any any eq 23 +remark other control plane traffic not configured on router +permit eigrp any any +permit udp any any eq rip +deny ip any any + +ip access-list extended CoPP_DEFAULT +permit ip any any + +Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. + +Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: + +policy-map CONTROL_PLANE_POLICY +class CoPP_CRITICAL +police 512000 8000 conform-action transmit exceed-action transmit +class CoPP_IMPORTANT +police 256000 4000 conform-action transmit exceed-action drop +class CoPP_NORMAL +police 128000 2000 conform-action transmit exceed-action drop +class CoPP_UNDESIRABLE +police 8000 1000 conform-action drop exceed-action drop class CoPP_DEFAULT -police 64000 1000 conform-action transmit exceed-action drop +police 64000 1000 conform-action transmit exceed-action drop -Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: +Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: -control-plane -service-policy input CONTROL_PLANE_POLICY +control-plane +service-policy input CONTROL_PLANE_POLICY Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category. If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.SRG-NET-000205-RTR-000001<GroupDescription></GroupDescription>CISC-RT-000130The Cisco router must be configured to restrict traffic destined to itself.<VulnDiscussion>The route processor handles traffic destined to the router—the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or denial of service (DoS) attack to the route processor can result in mission critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96875SV-106013CCI-001097Step 1: Configure the ACL for any external interfaces as shown in the example. R1(config)#ip access-list extended EXTERNAL_ACL -R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 +R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply @@ -459,14 +459,14 @@ ip access-list extended INTERNAL_ACL Note: For the internal ACL example, all routers within the hypothetical network (10.1.0.0/16) have been configured to use the loopback address to source all management traffic (not shown); hence, the loopbacks are the only allowable destination address for management traffic. In addition, all management traffic destined to the router must originate from the management network (10.2.1.0/24). With the exception of link-local control plane traffic and ICMP, all other traffic destined to any physical interface address will be dropped. Step 2: Verify that the ACL has been applied to the appropriate interface as shown in the example below: - + interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL in interface GigabitEthernet0/3 ip address 10.1.12.2 255.255.255.0 ip access-group INTERNAL_ACL in - + If the router is not configured to restrict traffic destined to itself, this is a finding.SRG-NET-000205-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000140The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96877SV-106015CCI-001097Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below: R1(config)#ip access-list extended EXTERNAL_ACL @@ -531,9 +531,9 @@ R4(config)#ip icmp rate-limit unreachable df 100 R4(config)#ip icmp rate-limit unreachable 100000 R4(config)#end -Alternative – Non DODIN Backbone. +Alternative – Non DODIN Backbone. -An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: +An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below: @@ -543,7 +543,7 @@ R2(config-ext-nacl)#permit icmp any any administratively-prohibited R2(config-ext-nacl)#exit Step 2: Create a route map to forward these ICMP messages to the Null0 interface. - + R2(config)#route-map LOCAL_POLICY R2(config-route-map)#match ip address ICMP_T3C1C13 R2(config-route-map)#set interface Null0 @@ -578,7 +578,7 @@ Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be s IF the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.SRG-NET-000362-RTR-000114<GroupDescription></GroupDescription>CISC-RT-000180The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.<VulnDiscussion>The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96885SV-106023CCI-002385Disable ip mask-reply on all external interfaces as shown below: R4(config)#int g0/1 -R4(config-if)#no ip mask-replyReview the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below: +R4(config-if)#no ip mask-replyReview the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 @@ -618,7 +618,7 @@ If packets being dropped at interfaces are not logged, this is a finding.DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106029V-96891CCI-000132Configure the router to log events containing information to establish where the events occurred as shown in the example below: - + R5(config)#ip access-list extended INGRESS_FILTER … … @@ -644,7 +644,7 @@ If the router is not configured to produce audit records containing information In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event. In addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106031V-96893CCI-000133Configure the router to log events containing information to establish where the events occurred as shown in the example below: - + R5(config)#ip access-list extended INGRESS_FILTER … … @@ -670,7 +670,7 @@ If the router is not configured to produce audit records containing information Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96895SV-106033CCI-001414Disable the auxiliary port. R2(config)#line aux 0 -R2(config-line)#no exec +R2(config-line)#no exec R2(config-line)#transport input noneReview the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. line aux 0 @@ -686,7 +686,7 @@ Step 1: Configure an inbound ACL to deny all other traffic by default as shown i R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#permit tcp any any established -R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 +R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply @@ -762,7 +762,7 @@ Traffic can be restricted directly by an access control list (ACL), which is a f This requirement is intended to allow network administrators the flexibility to use whatever technique is most effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106039V-96901CCI-002403This requirement is not applicable for the DODIN Backbone. -Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations. +Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations. R1(config)#ip access-list extended FILTER_PERIMETER R1(config-ext-nacl)#nn permit udp host x.12.1.9 host x.12.1.21 eq ntp @@ -897,7 +897,7 @@ R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14SRG-NET-000205-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000330The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. +If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.SRG-NET-000205-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000330The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons: @@ -1031,7 +1031,7 @@ interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL_INBOUND in -If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.SRG-NET-000205-RTR-000005<GroupDescription></GroupDescription>CISC-RT-000340The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. +If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.SRG-NET-000205-RTR-000005<GroupDescription></GroupDescription>CISC-RT-000340The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons: @@ -1056,7 +1056,7 @@ If the router is not configured to filter traffic leaving the network at the int R5(config)#int g0/1 R5(config-if)#no lldp transmitThis requirement is not applicable for the DODIN Backbone. -Step 1: Verify LLDP is not enabled globally via the command. +Step 1: Verify LLDP is not enabled globally via the command. lldp run @@ -1093,7 +1093,7 @@ If CDP is enabled on any external interface, this is a finding.< Disable Proxy ARP on all external interfaces as shown in the example below: -R2(config)#int g0/1 +R2(config)#int g0/1 R2(config-if)#no ip proxy-arpThis requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces as shown in the example below: @@ -1103,7 +1103,7 @@ interface GigabitEthernet0/1 ip address x.1.12.2 255.255.255.252 no ip proxy-arp -Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration. +Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration. If IP Proxy ARP is enabled on any external interface, this is a finding.SRG-NET-000364-RTR-000113<GroupDescription></GroupDescription>CISC-RT-000390The Cisco perimeter router must be configured to block all outbound management traffic.<VulnDiscussion>For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96927SV-106065CCI-001097This requirement is not applicable for the DODIN Backbone. @@ -1170,7 +1170,7 @@ Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address x.1.12.1 Note: Digital certificates can be utilized as an alternative. - + Step 4: Create the IPSec transform set for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes @@ -1185,7 +1185,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end -Step 6: Apply the crypto map to the external interface. +Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAPThis requirement is not applicable for the DODIN Backbone. @@ -1207,7 +1207,7 @@ crypto isakmp policy 10 crypto isakmp key xxxxxx address x.1.12.1 ! ! -crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes +crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. @@ -1270,7 +1270,7 @@ ip access-list extended MGMT_TRAFFIC_ACL permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog - permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 + permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 deny ip any any log-input If an IPSec tunnel is used, verify that the only authorized management traffic is transported to the NOC. @@ -1473,7 +1473,7 @@ R4(config)#int g0/7 R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL outThis requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface. -Step 1: Verify that the managed interface has an inbound and outbound ACL configured. +Step 1: Verify that the managed interface has an inbound and outbound ACL configured. interface GigabitEthernet0/7 description link to OOBM access switch @@ -1481,7 +1481,7 @@ interface GigabitEthernet0/7 ip access-group INGRESS_MANAGEMENT_ACL in ip access-group EGRESS_MANAGEMENT_ACL out -Step 2: Verify that the ingress ACL only allows management and ICMP traffic. +Step 2: Verify that the ingress ACL only allows management and ICMP traffic. ip access-list extended INGRESS_MANAGEMENT_ACL permit tcp any host 10.11.1.22 eq tacacs @@ -1521,7 +1521,7 @@ Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address 10.1.12.1 Note: Digital certificates can be utilized as an alternative. - + Step 4: Create the Phase 2 policy for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes @@ -1536,7 +1536,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end -Step 6: Apply the crypto map to the external interface. +Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAPThis requirement is not applicable for the DODIN Backbone. @@ -1558,7 +1558,7 @@ crypto isakmp policy 10 crypto isakmp key xxxxxx address x.1.12.1 ! ! -crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes +crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. @@ -1601,7 +1601,7 @@ R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in -Route Map Alternative: +Route Map Alternative: Step 1: Configure the route map referencing the configured prefix list above. @@ -1613,7 +1613,7 @@ Step 2: Apply the route-map inbound to each external BGP neighbor as shown in th R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 route-map FILTER_PREFIX_MAP in -R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in +R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in R1(config-router)#endReview the router configuration to verify that it will reject BGP routes for any Bogon prefixes. Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below: @@ -1644,7 +1644,7 @@ router bgp xx neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 prefix-list PREFIX_FILTER in -Route Map Alternative: +Route Map Alternative: Verify that the route map applied to the external neighbors references the configured Bogon prefix list shown above. @@ -1703,7 +1703,7 @@ Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the R1(config)#router bgp xx R1(config-router)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in -R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 inReview the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers. +R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 inReview the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers. Step 1: Verify prefix list has been configured for each customer containing prefixes belonging to each customer as shown in the example below: @@ -1893,8 +1893,8 @@ router bgp xx neighbor 10.1.1.1 remote-as xx neighbor 10.1.1.1 password xxxxxxxx neighbor 10.1.1.1 update-source Loopback0 - -If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.SRG-NET-000512-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000590The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96967SV-106105CCI-000366Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address. + +If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.SRG-NET-000512-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000590The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96967SV-106105CCI-000366Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address. R4(config)#mpls ldp router-id lo0Review the router configuration to determine if it is compliant with this requirement. @@ -1936,7 +1936,7 @@ When RSVP messages are sent out, they are sent either hop by hop or with the rou R2(config)#ip rsvp signalling rate-limit burst 9 maxsize 2100 period 30 limit 50Review the router configuration to determine RSVP messages are rate limited. -Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below: +Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below: mpls traffic-eng tunnels … @@ -1951,7 +1951,7 @@ Step 2: If MPLS TE is enabled, verify that message pacing is enabled. ip rsvp signalling rate-limit period 30 burst 9 maxsize 2100 limit 50 -Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit" +Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit" If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.SRG-NET-000512-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000620The Cisco MPLS router must be configured to have TTL Propagation disabled.<VulnDiscussion>The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one. @@ -2007,9 +2007,9 @@ R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxxSRG-NET-000512-RTR-000008<GroupDescription></GroupDescription>CISC-RT-000670The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.<VulnDiscussion>VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits. +If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.SRG-NET-000512-RTR-000008<GroupDescription></GroupDescription>CISC-RT-000670The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.<VulnDiscussion>VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits. -To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106121V-96983CCI-000366Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID. +To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106121V-96983CCI-000366Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID. R5(config)#int g0/1 R5(config-if)#xconnect x.2.2.12 55 encapsulation mplsVerify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below, GigabitEthernet0/1 is the CE-facing interface that is configured for VPWS with the VCID of 55. @@ -2027,13 +2027,13 @@ R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls R1(config-vfi)#bridge-domain 100 R1(config-vfi)#exit R1(config-if)#service instance 10 ethernet -R1(config-if-srv)#encapsulation untagged +R1(config-if-srv)#encapsulation untagged R1(config-if-srv)#bridge-domain 100 R1(config-if-srv)#endReview the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment. Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110. -l2 vfi VPLS_A manual +l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls @@ -2051,10 +2051,10 @@ If the attachment circuits have not been bound to VFI configured with the assign The PE routers use the VFI with a unique VPN ID to establish a full mesh of emulated virtual circuits or pseudowires to all the other PE routers in the VPLS instance. The full-mesh configuration allows the PE router to maintain a single broadcast domain. With a full-mesh configuration, signaling and packet replication requirements for each provisioned virtual circuit on a PE can be high. To avoid the problem of a packet looping in the provider core, thereby adding more overhead, the PE devices must enforce a split-horizon principle for the emulated virtual circuits; that is, if a packet is received on an emulated virtual circuit, it is not forwarded on any other virtual circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106125V-96987CCI-000366Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration. -R1(config)#l2 vfi VPLS_A manual +R1(config)#l2 vfi VPLS_A manual R1(config-vfi)#neighbor 10.3.3.3 encapsulation mplsReview the PE router configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below: -l2 vfi VPLS_A manual +l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls no-split-horizon @@ -2064,7 +2064,7 @@ If split horizon is not enabled, this is a finding. Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.SRG-NET-000193-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000700The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.<VulnDiscussion>A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106127V-96989CCI-001095Configure storm control for each CE-facing interface as shown in the example below: R1(config)#int g3 -R1(config-if)#service instance 10 ethernet +R1(config-if)#service instance 10 ethernet R1(config-if-srv)#storm-control broadcast cir 12000000 R1(config-if-srv)#end @@ -2075,21 +2075,21 @@ interface GigabitEthernet3 service instance 10 ethernet encapsulation untagged bridge-domain 100 - storm-control broadcast cir 12000000 + storm-control broadcast cir 12000000 ! ! If storm control is not enabled at a minimum for broadcast traffic, this is a finding.SRG-NET-000362-RTR-000119<GroupDescription></GroupDescription>CISC-RT-000710The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.<VulnDiscussion>IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106129V-96991CCI-002385Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. R1(config)#bridge-domain 100 -R1(config-bdomain)#ip igmp snooping +R1(config-bdomain)#ip igmp snooping R1(config-bdomain)#endReview the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain. Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below: -bridge-domain 100 +bridge-domain 100 no ip igmp snooping ! @@ -2101,7 +2101,7 @@ A malicious attacker residing in a customer network could launch a source MAC ad R1(config-bdomain)#mac limit maximum addresses nnnnReview the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain. -bridge-domain 100 +bridge-domain 100 mac limit maximum addresses nnnnn If a limit has not been configured, this is a finding.SRG-NET-000205-RTR-000007<GroupDescription></GroupDescription>CISC-RT-000730The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.<VulnDiscussion>IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial of service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. @@ -2109,7 +2109,7 @@ If a limit has not been configured, this is a finding.DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96995SV-106133CCI-001097Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure. Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space. - + R2(config)#ip access-list extended BLOCK_TO_CORE R2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input R2(config-ext-nacl)#exit @@ -2118,13 +2118,13 @@ Step 2: Apply the ACL inbound to all external or CE-facing interfaces. R2(config)#int R4(config)#int g0/2 R2(config-if)#ip access-group BLOCK_TO_CORE in -R2(config-if)#endStep 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. +R2(config-if)#endStep 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. interface GigabitEthernet0/2 ip address x.1.12.2 255.255.255.252 ip access-group BLOCK_TO_CORE in -Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space. +Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space. ip access-list extended BLOCK_TO_CORE deny ip any 10.1.x.0 0.0.255.255 log-input @@ -2314,7 +2314,7 @@ interface GigabitEthernet1/2 ip address 10.1.15.8 255.255.255.252 service-policy output QOS_POLICY -If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.SRG-NET-000193-RTR-000112<GroupDescription></GroupDescription>CISC-RT-000780The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. +If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.SRG-NET-000193-RTR-000112<GroupDescription></GroupDescription>CISC-RT-000780The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97005SV-106143CCI-001095Step 1: Configure a class map for the SCAVENGER class. @@ -2336,7 +2336,7 @@ Step 1: Verify that a class map has been configured for the Scavenger class as s class-map match-all SCAVENGER match ip dscp cs1 -Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below. +Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below. policy-map QOS_POLICY class CONTROL_PLANE @@ -2356,9 +2356,9 @@ class SCAVENGER Note: Traffic out of profile must be marked at the customer access layer or CE egress edge. -If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.SRG-NET-000019-RTR-000003<GroupDescription></GroupDescription>CISC-RT-000790The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. +If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.SRG-NET-000019-RTR-000003<GroupDescription></GroupDescription>CISC-RT-000790The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. -A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. +A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97007SV-106145CCI-001414Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it. @@ -2407,7 +2407,7 @@ Admin-Local scope is encouraged for any multicast traffic within a network inten R2(config)#ip access-list standard MULTICAST_SCOPE R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255 R2(config-std-nacl)#permit any -R2(config-std-nacl)#exit +R2(config-std-nacl)#exit Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below: @@ -2428,7 +2428,7 @@ ip access-list standard MULTICAST_SCOPE If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.SRG-NET-000362-RTR-000120<GroupDescription></GroupDescription>CISC-RT-000820The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.<VulnDiscussion>MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial of service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97013SV-106151CCI-002385The risk associated with this requirement can be fully mitigated by configuring the router to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers. -Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 @@ -2437,7 +2437,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER -R2(config)#end +R2(config)#end Step 2: Configure the RP to rate limit the number of multicast register messages. @@ -2461,7 +2461,7 @@ R8(config-ext-nacl)#deny ip any anySRG-NET-000019-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000830The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106153V-97015CCI-001414Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.SRG-NET-000019-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000830The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106153V-97015CCI-001414Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 @@ -2513,7 +2513,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER -R2(config)#endVerify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +R2(config)#endVerify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. ip pim rp-address 10.1.12.3 ip pim accept-register list PIM_REGISTER_FILTER @@ -2532,7 +2532,7 @@ R2(config)#ip access-list standard PIM_JOIN_FILTER R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255 R2(config-std-nacl)#permit any R2(config-std-nacl)#exit -R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER +R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER R2(config)#endVerify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed. ip pim rp-address 10.2.2.2 @@ -2554,7 +2554,7 @@ ip pim register-rate-limit nn If the RP is not limiting PIM register messages, this is a finding.SRG-NET-000364-RTR-000114<GroupDescription></GroupDescription>CISC-RT-000860The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106159V-97021CCI-002403Configure the DR to filter the IGMP or MLD Membership Report messages to allow hosts to join only those multicast groups that have been approved. -Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example. +Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example. R3(config)#ip access-list standard IGMP_JOIN_FILTER R3(config-std-nacl)#deny 239.8.0.0 0.0.255.255 @@ -2630,7 +2630,7 @@ If the DR is not limiting multicast join requests via IGMP or MLD on a global or When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106165V-97027CCI-002385Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. -R3(config)#ip pim spt-threshold infinityReview the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). +R3(config)#ip pim spt-threshold infinityReview the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). ip pim rp-address 10.2.2.2 ip pim spt-threshold infinity @@ -2682,7 +2682,7 @@ ip msdp password peer x.1.28.8 xxxxxxxxxxxx If the router does not require MSDP authentication, this is a finding.SRG-NET-000018-RTR-000007<GroupDescription></GroupDescription>CISC-RT-000920The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.<VulnDiscussion>The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106171V-97033CCI-001368Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below: R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER -R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod +R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight @@ -2698,7 +2698,7 @@ R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address r R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#permit ip any any R8(config-ext-nacl)#exit -R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTERReview the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses. +R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTERReview the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses. Step 1: Verify that an inbound source-active filter is bound to each MSDP peer. @@ -2918,11 +2918,11 @@ ip access-list extended EXTERNAL_ACL deny ip any any option any-options permit … … - … + … … deny ip any any log-input -If the router is not configured to drop all packets with IP options, this is a finding.SRG-NET-000362-RTR-000124<GroupDescription></GroupDescription>CISC-RT-000470The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).<VulnDiscussion>As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. +If the router is not configured to drop all packets with IP options, this is a finding.SRG-NET-000362-RTR-000124<GroupDescription></GroupDescription>CISC-RT-000470The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).<VulnDiscussion>As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106081V-96943CCI-002385Configure TTL security on all external BGP neighbors as shown in the example below: @@ -2943,8 +2943,8 @@ router bgp xx If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.SRG-NET-000230-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000480The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.<VulnDiscussion>If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106083V-96945CCI-002205CCI-000366Configure the router to use unique keys for each AS that it peers with as shown in the example below: R1(config)#router bgp xx -R1(config-router)#neighbor x.1.1.9 password yyyyyyyy -R1(config-router)#neighbor x.2.1.7 password zzzzzzzzzReview the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used. +R1(config-router)#neighbor x.1.1.9 password yyyyyyyy +R1(config-router)#neighbor x.2.1.7 password zzzzzzzzzReview the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used. router bgp xx no synchronization @@ -2956,7 +2956,7 @@ router bgp xx If unique keys are not being used, this is a finding.SRG-NET-000205-RTR-000016<GroupDescription></GroupDescription>CISC-RT-000750The Cisco PE router must be configured to ignore or drop all packets with any IP options.<VulnDiscussion>Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96999SV-106137CCI-002403Configure the router to ignore or drop all packets with IP options as shown in the examples below: -R4(config)#ip options ignore +R4(config)#ip options ignore or @@ -2968,23 +2968,23 @@ ip options ignore If the router is not configured to drop or block all packets with IP options, this is a finding.SRG-NET-000512-RTR-000100<GroupDescription></GroupDescription>CISC-RT-000235The Cisco router must be configured to have Cisco Express Forwarding enabled.<VulnDiscussion>The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Enable CEF -IPv4 Example: ip cef +IPv4 Example: ip cef IPv6 Example: ipv6 cefReview the router to verify that CEF is enabled. -IPv4 Example: ip cef +IPv4 Example: ip cef IPv6 Example: ipv6 cefSRG-NET-000512-RTR-000012<GroupDescription></GroupDescription>CISC-RT-000236The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.<VulnDiscussion>The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages. R1(config)#ipv6 hop-limit 128Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages as shown in the example. ipv6 hop-limit 128 -If it has been configured and has not been set to at least 32, it is a finding.SRG-NET-000512-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000237The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router using only authorized IPv6 addresses. Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined. +If it has been configured and has not been set to at least 32, it is a finding.SRG-NET-000512-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000237The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router using only authorized IPv6 addresses. Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined. If IPv6 Site Local Unicast addresses are defined, this is a finding.SRG-NET-000512-RTR-000014<GroupDescription></GroupDescription>CISC-RT-000391The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.<VulnDiscussion>Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. R1(config)#int g1/0 R1(config-if)#ipv6 nd ra suppress R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below. @@ -3004,7 +3004,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 in -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 undetermined transport packets. @@ -3024,7 +3024,7 @@ ipv6 access-list FILTER_IPV6 … deny ipv6 any any log -If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.SRG-NET-000364-RTR-000201<GroupDescription></GroupDescription>CISC-RT-000393The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255. <VulnDiscussion>The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. +If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.SRG-NET-000364-RTR-000201<GroupDescription></GroupDescription>CISC-RT-000393The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255. <VulnDiscussion>The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called "Nimrod Routing", a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3–255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-002403Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 @@ -3038,7 +3038,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255. @@ -3076,9 +3076,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3090,7 +3090,7 @@ Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header wi ipv6 access-list FILTER_IPV6 deny hbh any any dest-option-type 4 log deny hbh any any dest-option-type 195 log - deny hbh any any dest-option-type home-address log + deny hbh any any dest-option-type home-address log permit ipv6 … … … @@ -3110,9 +3110,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3144,9 +3144,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3177,9 +3177,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). +Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3218,7 +3218,7 @@ R1(config-ipv6-acl)#deny any any dest-option-type 39 … R1(config-ipv6-acl)#deny any any dest-option-type 47 R1(config-ipv6-acl)#deny any any dest-option-type 49 -… +… R1(config-ipv6-acl)#deny any any dest-option-type 255 R1(config-ipv6-acl)#permit … … @@ -3228,7 +3228,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration and determine if filters are bound to the applicable interfaces to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06, 0x9 – 0xE, 0x10 – 0x22, 0x24, 0x25, 0x27 – 0x2F, and 0x31 – 0xFF. @@ -3259,7 +3259,7 @@ ipv6 access-list FILTER_IPV6 … deny any any dest-option-type 47 deny any any dest-option-type 49 - … + … deny any any dest-option-type 255 permit … … @@ -3269,4 +3269,4 @@ ipv6 access-list FILTER_IPV6 Note: Because hop-by-hop and destination options have the same exact header format, they can be combined under the dest-option-type keyword. Since Hop-by-Hop and Destination Option headers have non-overlapping types, you can use dest-option-type to match either. -If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding. \ No newline at end of file +If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml index 8db3c5671..49be4e498 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml @@ -70,7 +70,7 @@ Update the system databases: Users must log out and back in again before the system-wide settings take effect.Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if the operating system displays a banner at the logon screen with the following command: @@ -224,19 +224,19 @@ Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion& Note: If the system does not have GNOME installed, this requirement is Not Applicable. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/00-defaults Edit "[org/gnome/login-screen]" and add or update the following line: -enable-smartcard-authentication=true +enable-smartcard-authentication=true Update the system databases: # dconf updateVerify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: @@ -283,7 +283,7 @@ If the "idle-delay" setting is missing or is not set to "900" or less, this is a The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -291,7 +291,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver lock delay: - /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -310,7 +310,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. @@ -318,7 +318,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the session idle delay: - /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -337,7 +337,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver @@ -366,7 +366,7 @@ The session lock is implemented at the point where session activity can be deter The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -374,7 +374,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver idle-activation-enabled setting: - /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -395,7 +395,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver @@ -410,7 +410,7 @@ Update the system databases: # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -434,7 +434,7 @@ Add the following line to "/etc/pam.d/system-auth" (or modify the line to have t password required pam_pwquality.so retry=3 -Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. +Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" with the following command: @@ -454,22 +454,22 @@ ucredit = -1SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-07-010130The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86529V-71905CCI-000193Configure the system to require at least one lower-case character when creating or changing a password. -Add or modify the following line +Add or modify the following line in "/etc/security/pwquality.conf": lcredit = -1Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: -# grep lcredit /etc/security/pwquality.conf -lcredit = -1 +# grep lcredit /etc/security/pwquality.conf +lcredit = -1 If the value of "lcredit" is not set to a negative value, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-07-010140The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -481,8 +481,8 @@ dcredit = -1SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-07-010150The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -496,7 +496,7 @@ Note: The value to require a number of special characters to be set is expressed Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: -# grep ocredit /etc/security/pwquality.conf +# grep ocredit /etc/security/pwquality.conf ocredit=-1 If the value of "ocredit" is not set to a negative value, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010160The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -509,7 +509,7 @@ difok = 8SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010170The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -522,7 +522,7 @@ minclass = 4SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010180The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -535,7 +535,7 @@ maxrepeat = 3SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -548,7 +548,7 @@ maxclassrepeat = 4SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. @@ -582,13 +582,13 @@ ENCRYPT_METHOD SHA512 If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. -Add or update the following line in "/etc/libuser.conf" in the [defaults] section: +Add or update the following line in "/etc/libuser.conf" in the [defaults] section: crypt_style = sha512Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512". Check that the system is configured to create "SHA512" hashed passwords with the following command: -# grep -i sha512 /etc/libuser.conf +# grep -i sha512 /etc/libuser.conf crypt_style = sha512 @@ -598,7 +598,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: +Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: # grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 @@ -634,7 +634,7 @@ If any results are returned that are not associated with a system account, this Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - + Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: @@ -659,7 +659,7 @@ If the command does not return a "minlen" value of 15 or greater, this is a find Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -699,7 +699,7 @@ Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pa auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +account required pam_faillock.so Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: @@ -707,7 +707,7 @@ Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -717,7 +717,7 @@ If the "fail_interval" parameter is set to "0" or is set to a value less than "9 If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. -Note: The maximum configurable value for "unlock_time" is "604800". +Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding. @@ -735,7 +735,7 @@ If the "fail_interval" parameter is set to "0" or is set to a value less than "9 If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding. -Note: The maximum configurable value for "unlock_time" is "604800". +Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. @@ -752,19 +752,19 @@ Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite # grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. # grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so -If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -784,7 +784,7 @@ Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with $ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d -If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. @@ -826,7 +826,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se [daemon] AutomaticLoginEnable=falseVerify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: @@ -842,7 +842,7 @@ Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] sectio [daemon] TimedLoginEnable=falseVerify the operating system does not allow an unrestricted logon to the system via a graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command: @@ -890,7 +890,7 @@ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block d If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: - + $ sudo grub2-setpassword Enter password: Confirm password:For systems that use UEFI, this is Not Applicable. @@ -921,7 +921,7 @@ If the grub superusers password does not begin with "grub.pbkdf2.sha512", this i Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and @@ -1014,7 +1014,7 @@ If they are not mapped in this way, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: # more /etc/cron.daily/aide #!/bin/bash @@ -1036,9 +1036,9 @@ Check the cron directories for a script file controlling the execution of the fi If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. -The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. +The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. # more /etc/cron.daily/aide @@ -1049,7 +1049,7 @@ Note: A file integrity tool other than Advanced Intrusion Detection Environment Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: - + # ls -al /etc/cron.* | grep aide -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide @@ -1077,7 +1077,7 @@ Check that yum verifies the signature of packages from a repository prior to ins # grep gpgcheck /etc/yum.conf gpgcheck=1 -If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. +If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -1092,7 +1092,7 @@ Check that yum verifies the signature of local packages prior to install with th # grep localpkg_gpgcheck /etc/yum.conf localpkg_gpgcheck=1 -If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. +If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. @@ -1137,7 +1137,7 @@ Add the following line to the created file: install dccp /bin/true -Ensure that the DCCP module is blacklisted: +Ensure that the DCCP module is blacklisted: # vi /etc/modprobe.d/blacklist.conf @@ -1265,7 +1265,7 @@ If the ctrl-alt-del.target is not masked, this is a finding. If the ctrl-alt-del.target is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020231The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-94843SV-104673CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command: -# touch /etc/dconf/db/local.d/00-disable-CAD +# touch /etc/dconf/db/local.d/00-disable-CAD Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: @@ -1309,7 +1309,7 @@ Current End of Extended Update Support for RHEL 7.7 is 30 August 2021. Current End of Maintenance Support for RHEL 7.9 is 30 June 2024. -If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). +If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. @@ -1319,19 +1319,19 @@ Check that the available package security updates have been installed on the sys Loaded plugins: langpacks, product-id, subscription-manager ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- - 70 | install aide | 2016-05-05 10:58 | Install | 1 + 70 | install aide | 2016-05-05 10:58 | Install | 1 69 | update -y | 2016-05-04 14:34 | Update | 18 EE - 68 | install vlc | 2016-04-21 17:12 | Install | 21 + 68 | install vlc | 2016-04-21 17:12 | Install | 21 67 | update -y | 2016-04-21 17:04 | Update | 7 EE 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE -If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. +If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. -If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. -Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. +Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account. @@ -1349,7 +1349,7 @@ halt:x:7:0:halt:/sbin:/sbin/halt games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin -Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. +Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-020300The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72003SV-86627CCI-000764Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file. @@ -1357,7 +1357,7 @@ Check that all referenced GIDs exist with the following command: # pwck -r -If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". +If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command: @@ -1398,7 +1398,7 @@ In addition, if a local interactive user has a home directory defined that does Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd". -# mkdir /home/smithj +# mkdir /home/smithj # chown smithj /home/smithj # chgrp users /home/smithj # chmod 0750 /home/smithjVerify local interactive users on the system have a home directory assigned and the directory exists. @@ -1490,7 +1490,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: # grep smithj /etc/group -sa:x:100:juan,shelley,bob,smithj +sa:x:100:juan,shelley,bob,smithj smithj:x:521:smithj If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020680The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.<VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72027SV-86651CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: @@ -1547,7 +1547,7 @@ Note: The example will be for the smithj user, who has a home directory of "/hom smithj 1000 /home/smithj # grep 1000 /etc/group -users:x:1000:smithj,jonesj,jacksons +users:x:1000:smithj,jonesj,jacksons Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. @@ -1575,7 +1575,7 @@ Note: The example will be for the "smithj" user, who has a home directory of "/h -rwxr----- 1 smithj users 497 Jan 6 2007 .login -rwxr----- 1 smithj users 886 Jan 6 2007 .something -If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. +If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the user's home directory. @@ -1637,7 +1637,7 @@ Check the file systems that are mounted at boot time with the following command: # more /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 - + If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021010The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86667V-72043CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.Verify file systems that are used for removable media are mounted with the "nosuid" option. Check the file systems that are mounted at boot time with the following command: @@ -1694,11 +1694,11 @@ tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -gid +999 -print -If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. +If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". @@ -1804,7 +1804,7 @@ Verify that "/var/log/audit" is mounted on a separate file system: If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021340The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86689V-72065CCI-000366Start the "tmp.mount" service with the following command: # systemctl enable tmp.mount - + OR Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.Verify that a separate file system/partition has been created for "/tmp". @@ -1825,7 +1825,7 @@ Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPO To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. -Configure the operating system to implement DoD-approved encryption by following the steps below: +Configure the operating system to implement DoD-approved encryption by following the steps below: The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. @@ -1889,7 +1889,7 @@ Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on tra If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: -# cat /proc/sys/crypto/fips_enabled +# cat /proc/sys/crypto/fips_enabled 1 If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. @@ -1898,11 +1898,11 @@ Verify the file /etc/system-fips exists. # ls -l /etc/system-fips -If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. +If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. +Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: @@ -1913,10 +1913,10 @@ Check the "aide.conf" file to determine if the "acl" rule has been added to the An example rule that includes the "acl" rule is below: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. +If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. @@ -1930,16 +1930,16 @@ Check the "aide.conf" file to determine if the "xattrs" rule has been added to t An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. -Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. +Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. +Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: @@ -1948,10 +1948,10 @@ Use the following command to determine if the file is in another location: Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications. An example rule that includes the "sha512" rule follows: - + All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -1962,7 +1962,7 @@ Check for the existence of alternate boot loader configuration files with the fo # find / -name grub.cfg /boot/grub2/grub.cfg -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. +If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. Check that the grub configuration file has the set root command in each menu entry with the following commands: @@ -1981,7 +1981,7 @@ Examples of non-essential capabilities include, but are not limited to, games, s The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. -If a privileged user were to log on using this service, the privileged user password could be compromised. +If a privileged user were to log on using this service, the privileged user password could be compromised. Check to see if the telnet-server package is installed with the following command: @@ -2032,7 +2032,7 @@ Kernel log monitoring must also be configured to properly alert designated staff The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. -Check to see what level "auditctl" is set to with following command: +Check to see what level "auditctl" is set to with following command: # auditctl -s | grep -i "fail" failure 2 @@ -2123,7 +2123,7 @@ To determine the remote server that the records are being sent to, use the follo # grep -i remote_server /etc/audisp/audisp-remote.conf remote_server = 10.0.21.1 -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -2140,7 +2140,7 @@ To determine if the transfer is encrypted, use the following command: # grep -i enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes -If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. @@ -2188,8 +2188,8 @@ space_left = 25% If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. -Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". - +Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". + space_left_action = emailVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: @@ -2199,8 +2199,8 @@ space_left_action = email If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. -Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. - +Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. + action_mail_acct = rootVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command: @@ -2427,15 +2427,15 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /var/run/faillock -p wa -k logins -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. -Check the file system rule in "/etc/audit/audit.rules" with the following commands: +Check the file system rule in "/etc/audit/audit.rules" with the following commands: # grep -i /var/run/faillock /etc/audit/audit.rules @@ -2445,19 +2445,19 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. -Check the file system rules in "/etc/audit/audit.rules" with the following commands: +Check the file system rules in "/etc/audit/audit.rules" with the following commands: # grep -i /var/log/lastlog /etc/audit/audit.rules --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -2567,13 +2567,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules @@ -2587,13 +2587,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules @@ -2611,9 +2611,9 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k privileged-actions -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. -Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": +Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": # grep -i "/etc/sudoers" /etc/audit/audit.rules @@ -2631,13 +2631,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules @@ -2651,13 +2651,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules @@ -2679,7 +2679,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "mount" /etc/audit/audit.rules @@ -2697,17 +2697,17 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -2717,13 +2717,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules @@ -2735,15 +2735,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules @@ -2755,15 +2755,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules @@ -2775,15 +2775,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules @@ -2791,21 +2791,21 @@ $ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam -If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2817,7 +2817,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -2827,13 +2827,13 @@ $ sudo grep -w "create_module" /etc/audit/audit.rules -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change -If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Add or update the following rules in "/etc/audit/rules.d/audit.rules": @@ -2841,29 +2841,29 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Check the auditing rules in "/etc/audit/audit.rules" with the following command: -$ sudo grep init_module /etc/audit/audit.rules +$ sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. -Add or update the following rules in "/etc/audit/rules.d/audit.rules": +Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -2873,19 +2873,19 @@ $ sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -3010,7 +3010,7 @@ Note: If another logging package is used, substitute the utility configuration f # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf *.* @@logagg.site.mil -If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. @@ -3054,15 +3054,15 @@ Check which services are currently active with the following command: # firewall-cmd --list-all public (default, active) interfaces: enp0s3 - sources: + sources: services: dhcpv6-client dns http https ldaps rpc-bind ssh - ports: + ports: masquerade: no - forward-ports: - icmp-blocks: - rich rules: + forward-ports: + icmp-blocks: + rich rules: -Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. +Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -3087,7 +3087,7 @@ Inspect the "Ciphers" configuration with the following command: # grep -i ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr -If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. @@ -3195,7 +3195,7 @@ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago -If the "sssd.service" is "active", then LDAP is being used. +If the "sssd.service" is "active", then LDAP is being used. Determine the "id_provider" the LDAP is currently using: @@ -3227,7 +3227,7 @@ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago -If the "sssd.service" is "active", then LDAP is being used. +If the "sssd.service" is "active", then LDAP is being used. Determine the "id_provider" the LDAP is currently using: @@ -3296,14 +3296,14 @@ If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or Check that the operating system implements virtual address space randomization with the following command: - # /sbin/sysctl -a | grep kernel.randomize_va_space + # /sbin/sysctl -a | grep kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" does not have a value of "2", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. @@ -3316,9 +3316,9 @@ libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1 openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1 -If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. @@ -3477,7 +3477,7 @@ Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-ap # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 -If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. +If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: @@ -3505,7 +3505,7 @@ The following command will find all SSH private key files on the system and list -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key -If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": +If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": GSSAPIAuthentication no @@ -3586,7 +3586,7 @@ If NTP was running and "maxpoll" was updated, the NTP service must be restarted: If NTP was not running, it must be started: -# systemctl start ntpd +# systemctl start ntpd If "chronyd" was running and "maxpoll" was updated, the service must be restarted: @@ -3644,9 +3644,9 @@ Check to see if "firewalld" is installed with the following command: # yum list installed firewalld firewalld-0.3.9-11.el7.noarch.rpm -If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. +If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. -If an application firewall is not installed, this is a finding. +If an application firewall is not installed, this is a finding. Check to see if the firewall is loaded and active with the following command: @@ -3656,14 +3656,14 @@ firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago -If "firewalld" does not show a status of "loaded" and "active", this is a finding. +If "firewalld" does not show a status of "loaded" and "active", this is a finding. Check the state of the firewall: -# firewall-cmd --state +# firewall-cmd --state running -If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". +If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". Add the following line to the top of "/etc/pam.d/postlogin": @@ -3732,10 +3732,10 @@ Verify that the "/etc/resolv.conf" file is immutable with the following command: If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: - + # sysctl -systemVerify the system does not accept IPv4 source-routed packets. # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null @@ -3752,7 +3752,7 @@ If the returned line does not have a value of "0", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: @@ -3772,7 +3772,7 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: @@ -3792,10 +3792,10 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: - + # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null @@ -3814,7 +3814,7 @@ If conflicting results are returned, this is a finding.< net.ipv4.icmp_echo_ignore_broadcasts = 1 -Issue the following command to make the changes take effect: +Issue the following command to make the changes take effect: # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. @@ -3831,7 +3831,7 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: @@ -3850,7 +3850,7 @@ If the returned line does not have a value of "0", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: @@ -3867,7 +3867,7 @@ Check that the operating system implements the "accept_redirects" variables with If the returned line does not have a value of "0", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -3884,11 +3884,11 @@ If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl. Check that the operating system implements the "default send_redirects" variables with the following command: # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects - net.ipv4.conf.default.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 If the returned line does not have a value of "0", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -3928,7 +3928,7 @@ If network interfaces are found on the system in promiscuous mode and their use Determine if "postfix" is installed with the following commands: # yum list installed postfix -postfix-2.6.6-6.el7.x86_64.rpm +postfix-2.6.6-6.el7.x86_64.rpm If postfix is not installed, this is Not Applicable. @@ -3981,7 +3981,7 @@ tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms If a TFTP server is not installed, this is Not Applicable. -If a TFTP server is installed, check for the server arguments with the following command: +If a TFTP server is installed, check for the server arguments with the following command: # grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot @@ -4028,7 +4028,7 @@ Check that the operating system does not implement IP forwarding using the follo If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. @@ -4051,9 +4051,9 @@ If the file does exist, check for the default community strings with the followi # grep public /etc/snmp/snmpd.conf # grep private /etc/snmp/snmpd.conf -If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. +If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. -If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. +If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. Verify the system's access control program is configured to grant or deny system access to specific hosts. @@ -4110,7 +4110,7 @@ If the "IPsec" service is active, check to see if any tunnels are configured in # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf -If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. +If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -4197,7 +4197,7 @@ cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; -There should be at least three lines returned. +There should be at least three lines returned. If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: @@ -4233,7 +4233,7 @@ Note: System configuration files (indicated by a "c" in the second column) are e # rpm -Va --noconfig | grep '^..5' -If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. +If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. Procedure: Check that the following package has been installed: @@ -4246,7 +4246,7 @@ Verify that the daemon is running: # ps -ef | grep -i mfetpd -If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. +If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. @@ -4258,7 +4258,7 @@ The session lock is implemented at the point where session activity can be deter The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -4266,7 +4266,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver lock-enabled setting: - /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -4287,7 +4287,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: +Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: [org/gnome/desktop/media-handling] @@ -4345,23 +4345,23 @@ To ensure the veracity of audit information, the operating system must protect a Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: # chmod 0600 [audit_file] -Change the owner and group owner of the audit log files with the following command: +Change the owner and group owner of the audit log files with the following command: # chown root:root [audit_file]Verify the operating system audit records have proper permissions and ownership. List the full permissions and ownership of the audit log files with the following command. -# ls -la /var/log/audit +# ls -la /var/log/audit total 4512 drwx------. 2 root root 23 Apr 25 16:53 . drwxr-xr-x. 17 root root 4096 Aug 9 13:09 .. -rw-------. 1 root root 8675309 Aug 9 12:54 audit.log -Audit logs must be mode 0600 or less permissive. +Audit logs must be mode 0600 or less permissive. If any are more permissive, this is a finding. The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040711The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. @@ -4382,13 +4382,13 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. @@ -4401,7 +4401,7 @@ Remove any configurations that conflict with the above from the following locati If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -4483,7 +4483,7 @@ SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r -sysadm_u user s0 s0-s0:c0.c1023 sysadm_r +sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r @@ -4517,7 +4517,7 @@ $ sudo visudo -f /etc/sudoers.d/<customfile> Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: @@ -4559,7 +4559,7 @@ Verify the operating system does not have nested "include" files or directories $ sudo grep -r include /etc/sudoers.d -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -4603,7 +4603,7 @@ Check that the AIDE package is installed with the following command: aide-0.15.1-13.el7.x86_64 -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. +If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. @@ -4635,7 +4635,7 @@ Restart the "sshd" service for changes to take effect: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 - + If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010090The Red Hat Enterprise Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. @@ -4666,7 +4666,7 @@ Set the system to the required kernel parameter by adding or modifying the follo kernel.dmesg_restrict = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ @@ -4696,12 +4696,12 @@ If conflicting results are returned, this is a finding.< Rename the existing configuration files (skip this step if symbolic links are already present): $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac - + Create custom system-auth configuration file: $ sudo vi /etc/pam.d/system-auth-local - + The new file, at minimum, must contain the following lines: - + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth include system-auth-ac auth sufficient pam_unix.so try_first_pass @@ -4718,7 +4718,7 @@ session include system-auth-ac Create custom password-auth configuration file: $ sudo vi /etc/pam.d/password-auth-local - + The new file, at minimum, must contain the following lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 @@ -4734,7 +4734,7 @@ password include password-auth-ac password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok session include password-auth-ac - + Create new or move existing symbolic links to the new custom configuration files: $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth @@ -4756,7 +4756,7 @@ Note: With this solution in place any custom settings to "system-auth" and "pass lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local - + If system-auth and password-auth files are not symbolic links, this is a finding. -If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. \ No newline at end of file +If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml index 52e9e3df2..31c877d32 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml @@ -40,9 +40,9 @@ $ sudo yum history list | more Loaded plugins: langpacks, product-id, subscription-manager ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- -70 | install aide | 2020-03-05 10:58 | Install | 1 +70 | install aide | 2020-03-05 10:58 | Install | 1 69 | update -y | 2020-03-04 14:34 | Update | 18 EE -68 | install vlc | 2020-02-21 17:12 | Install | 21 +68 | install vlc | 2020-02-21 17:12 | Install | 21 67 | update -y | 2020-02-21 17:04 | Update | 7 EE If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding. @@ -51,7 +51,7 @@ Typical update frequency may be overridden by Information Assurance Vulnerabilit If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-010020RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated. -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. @@ -87,9 +87,9 @@ If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS m Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). -Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001199Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001199Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. -Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. @@ -206,7 +206,7 @@ Run the following command to update the database: $ sudo dconf updateVerify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. -Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: @@ -342,7 +342,7 @@ If the contents of the key are displayed, this is a finding.DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords. +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords. Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_METHOD]" to SHA512. @@ -350,7 +350,7 @@ ENCRYPT_METHOD SHA512SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010160The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -789,7 +789,7 @@ RHEL 8 comes with many optional software packages. A file integrity tool called Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001744Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. -The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. +The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. $ sudo more /etc/cron.daily/aide @@ -866,7 +866,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc kernel.kexec_load_disabled = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -914,7 +914,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc fs.protected_symlinks = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -962,7 +962,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc fs.protected_hardlinks = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -1010,7 +1010,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc kernel.dmesg_restrict = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -1058,7 +1058,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc kernel.perf_event_paranoid = 2 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -1180,7 +1180,7 @@ $ sudo dmesg | grep NX [ 0.000000] NX (Execute Disable) protection: active -If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: +If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: $ sudo less /proc/cpuinfo | grep -i flags flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc @@ -1205,7 +1205,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If "page_poison" is not set to "1" or is missing, this is a finding. -Check that page poisoning is enabled by default to persist in kernel updates: +Check that page poisoning is enabled by default to persist in kernel updates: $ sudo grep page_poison /etc/default/grub @@ -1231,7 +1231,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If "vsyscall" is not set to "none" or is missing, this is a finding. -Check that vsyscalls are disabled by default to persist in kernel updates: +Check that vsyscalls are disabled by default to persist in kernel updates: $ sudo grep vsyscall /etc/default/grub @@ -1259,7 +1259,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If "slub_debug" is not set to "P" or is missing, this is a finding. -Check that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates: +Check that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates: $ sudo grep slub_debug /etc/default/grub @@ -1281,7 +1281,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc kernel.randomize_va_space=2 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -1364,7 +1364,7 @@ $ sudo rm /[path]/[to]/[file]/.shostsSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010471RHEL 8 must enable the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. +If any ".shosts" files are found, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010471RHEL 8 must enable the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Start the rngd service, and enable the rngd service with the following commands: @@ -1485,7 +1485,7 @@ If a separate file system/partition does not exist for the system audit data pat $ sudo grep /tmp /etc/fstab -/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 +/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If a separate entry for the file system/partition "/tmp" does not exist, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>RHEL-08-010550RHEL 8 must not permit direct logons to the root account using remote access via SSH.<VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000770Configure RHEL 8 to stop users from logging on remotely as the "root" user via SSH. @@ -1608,7 +1608,7 @@ $ sudo chmod 0755 <file>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010700All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]: +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]: $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010710All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print @@ -1833,7 +1833,7 @@ If the user home directory referenced in "/etc/passwd" is not group-owned by tha Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". -$ sudo mkdir /home/smithj +$ sudo mkdir /home/smithj $ sudo chown smithj /home/smithj $ sudo chgrp users /home/smithj $ sudo chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users on RHEL 8 exists with the following command: @@ -1898,9 +1898,9 @@ Check the home directory assignment for all non-privileged users, users with a U $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd -adamsj 1001 /home/adamsj -jacksonm 1002 /home/jacksonm -smithj 1003 /home/smithj +adamsj 1001 /home/adamsj +jacksonm 1002 /home/jacksonm +smithj 1003 /home/smithj The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. @@ -2429,7 +2429,7 @@ Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. - + Determine the location of the tmux script: $ sudo grep -r tmux /etc/bashrc /etc/profile.d @@ -2506,7 +2506,7 @@ $ sudo gsettings get org.gnome.desktop.session idle-delay uint32 900 -If "idle-delay" is set to "0" or a value greater than "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020070RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If "idle-delay" is set to "0" or a value greater than "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020070RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. @@ -2530,7 +2530,7 @@ Locking these settings from non-privileged users is crucial to maintaining a pro Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -2538,7 +2538,7 @@ $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: -/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. +/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. @@ -2597,13 +2597,13 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): -password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. +password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality -password required pam_pwquality.so +password required pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -2736,7 +2736,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: +Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: $ sudo grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 @@ -2866,7 +2866,7 @@ If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a find If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-08-020260RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. -RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000795Configure RHEL 8 to disable account identifiers after 35 days of inactivity after the password expiration. +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000795Configure RHEL 8 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: @@ -2965,7 +2965,7 @@ FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020320RHEL 8 must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. -Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. +Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account. @@ -2984,7 +2984,7 @@ halt:x:7:0:halt:/sbin:/sbin/halt games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin -Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. +Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020330RHEL 8 must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords. @@ -2999,7 +2999,7 @@ $ sudo grep -ir permitemptypasswords /etc/ssh/sshd_config* PermitEmptyPasswords no If "PermitEmptyPasswords" is set to "yes", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020340RHEL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020340RHEL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". Add the following line to the top of "/etc/pam.d/postlogin": @@ -3036,7 +3036,7 @@ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" UMASK 077 -If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>RHEL-08-020352RHEL 8 must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Remove the umask statement from all local interactive user's initialization files. +If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>RHEL-08-020352RHEL 8 must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Remove the umask statement from all local interactive user's initialization files. If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". @@ -3062,9 +3062,9 @@ Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc" /etc/bashrc: umask 077 /etc/bashrc: umask 077 -/etc/csh.cshrc: umask 077 /etc/csh.cshrc: umask 077 -/etc/profile: umask 077 +/etc/csh.cshrc: umask 077 +/etc/profile: umask 077 /etc/profile: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>RHEL-08-030000The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. @@ -3073,11 +3073,11 @@ Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 audits the execution of privileged functions. @@ -3085,10 +3085,10 @@ Check if RHEL 8 is configured to audit the execution of the "execve" system call $ sudo grep execve /etc/audit/audit.rules --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-030010Cron logging must be implemented in RHEL 8.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: @@ -3116,7 +3116,7 @@ If "rsyslog" is not logging messages for the cron facility or all facilities, th Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000139Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000139Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: @@ -3162,7 +3162,7 @@ disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030060The RHEL 8 audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. @@ -3172,7 +3172,7 @@ Add or update the following line (depending on configuration "disk_full_action" disk_full_action = HALT -If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".Verify RHEL 8 takes the appropriate action when the audit storage volume is full. +If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".Verify RHEL 8 takes the appropriate action when the audit storage volume is full. Check that RHEL 8 takes the appropriate action when the audit storage volume is full with the following command: @@ -3526,7 +3526,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates audit records when successful/unsuccessful attempts to use the "su" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates audit records when successful/unsuccessful attempts to use the "su" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/su /etc/audit/audit.rules @@ -3534,7 +3534,7 @@ $ sudo grep -w /usr/bin/su /etc/audit/audit.rules If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030200The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). +Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. @@ -3984,7 +3984,7 @@ $ sudo grep -w chsh /etc/audit/audit.rules If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030420Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". @@ -4050,7 +4050,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod @@ -4122,7 +4122,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. @@ -4190,7 +4190,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. @@ -4218,7 +4218,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. @@ -4236,7 +4236,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If the "audit" entry does not equal "1", is missing, or the line is commented out, this is a finding. -Check that auditing is enabled by default to persist in kernel updates: +Check that auditing is enabled by default to persist in kernel updates: $ sudo grep audit /etc/default/grub @@ -4262,7 +4262,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If the "audit_backlog_limit" entry does not equal "8192" or greater, is missing, or the line is commented out, this is a finding. -Check the audit_backlog_limit is set to persist in kernel updates: +Check the audit_backlog_limit is set to persist in kernel updates: $ sudo grep audit /etc/default/grub @@ -4282,7 +4282,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. @@ -4495,7 +4495,7 @@ $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:*.* @@[remoteloggingserver]:[port] -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030700RHEL 8 must take appropriate action when the internal event queue is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4513,7 +4513,7 @@ $ sudo grep -i overflow_action /etc/audit/auditd.conf overflow_action = syslog -If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030710RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4538,7 +4538,7 @@ $ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*. If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. -If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030720RHEL 8 must authenticate the remote logging server for off-loading audit logs.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4560,7 +4560,7 @@ $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog. /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name -If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-08-030730RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. @@ -4601,7 +4601,7 @@ If the "maxpoll" option is set to a number greater than 16 or the line is commen Verify the "chrony.conf" file is configured to an authoritative DoD time source by running the following command: $ sudo grep -i server /etc/chrony.conf -server 0.us.pool.ntp.mil +server 0.us.pool.ntp.mil If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-030741RHEL 8 must disable the chrony daemon from acting as a server.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -4693,7 +4693,7 @@ kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhe If the "pti" entry does not equal "on", is missing, or the line is commented out, this is a finding. -Check that kernel page-table isolation is enabled by default to persist in kernel updates: +Check that kernel page-table isolation is enabled by default to persist in kernel updates: $ sudo grep pti /etc/default/grub @@ -4924,15 +4924,15 @@ custom (active) target: DROP icmp-block-inversion: no interfaces: ens33 -sources: +sources: services: dhcpv6-client dns http https ldaps rpc-bind ssh -ports: +ports: masquerade: no -forward-ports: -icmp-blocks: -rich rules: +forward-ports: +icmp-blocks: +rich rules: -Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. +Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040070The RHEL 8 file system automounter must be disabled unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure the operating system to disable the ability to automount devices. @@ -4989,7 +4989,7 @@ $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml This will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name. Reload the firewall rules to make the new [custom] zone available to load: -$ sudo firewall-cmd --reload +$ sudo firewall-cmd --reload Set the default zone to the new [custom] zone: $ sudo firewall-cmd --set-default-zone=[custom] @@ -5060,12 +5060,12 @@ Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following lin install bluetooth /bin/true -Disable the ability to use the Bluetooth kernel module. - -$ sudo vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - +Disable the ability to use the Bluetooth kernel module. + +$ sudo vi /etc/modprobe.d/blacklist.conf + +Add or update the line: + blacklist bluetooth Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. @@ -5080,12 +5080,12 @@ $ sudo grep bluetooth /etc/modprobe.d/* If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. -Verify the operating system disables the ability to use Bluetooth with the following command: - -$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" - -blacklist bluetooth - +Verify the operating system disables the ability to use Bluetooth with the following command: + +$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" + +blacklist bluetooth + If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -5437,9 +5437,9 @@ $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf # FirewallBackend FirewallBackend=nftables -If the "nftables" is not set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If the "nftables" is not set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. @@ -5456,9 +5456,9 @@ Main PID: 1348 (sshd) CGroup: /system.slice/sshd.service 1053 /usr/sbin/sshd -D -If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-040161RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-040161RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. @@ -5550,7 +5550,7 @@ $ sudo yum list installed tftp-server tftp-server.x86_64 5.2-24.el8 -If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040200The root account must be the only account having unrestricted access to the RHEL 8 system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". +If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040200The root account must be the only account having unrestricted access to the RHEL 8 system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command: @@ -5570,7 +5570,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.default.accept_redirects = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5616,7 +5616,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.all.send_redirects=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5659,7 +5659,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.icmp_echo_ignore_broadcasts=1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5701,7 +5701,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.all.accept_source_route=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5745,7 +5745,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.default.accept_source_route=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5789,7 +5789,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.all.forwarding=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5835,7 +5835,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.all.accept_ra=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5881,7 +5881,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.default.accept_ra=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5927,7 +5927,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.default.send_redirects = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -5969,7 +5969,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv6.conf.all.accept_redirects = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6011,7 +6011,7 @@ The sysctl --system command will load settings from all system configuration fil kernel.unprivileged_bpf_disabled = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6049,7 +6049,7 @@ The sysctl --system command will load settings from all system configuration fil kernel.yama.ptrace_scope = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6087,7 +6087,7 @@ The sysctl --system command will load settings from all system configuration fil kernel.kptr_restrict = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6123,11 +6123,11 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. user.max_user_namespaces = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6167,7 +6167,7 @@ The sysctl --system command will load settings from all system configuration fil net.ipv4.conf.all.rp_filter = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -6201,7 +6201,7 @@ Determine if "postfix" is installed with the following commands: $ sudo yum list installed postfix -postfix.x86_64 2:3.3.1-9.el8 +postfix.x86_64 2:3.3.1-9.el8 If postfix is not installed, this is Not Applicable. @@ -6213,7 +6213,7 @@ smtpd_client_restrictions = permit_mynetworks, reject If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040300The RHEL 8 file integrity tool must be configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the file integrity tool to check file and directory extended attributes. +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. @@ -6230,12 +6230,12 @@ Check the "aide.conf" file to determine if the "xattrs" rule has been added to t An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin +/bin All # apply the custom rule to the files in bin +/sbin All # apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040310The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the file integrity tool to check file and directory ACLs. +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. @@ -6312,11 +6312,11 @@ server_args = -s /var/lib/tftpbootSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. @@ -6408,7 +6408,7 @@ Remove any configurations that conflict with the above from the following locati If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -6449,7 +6449,7 @@ Run the following command to update the database: $ sudo dconf updateVerify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon. -Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Check to see if the operating system displays a banner at the logon screen with the following command: @@ -6507,7 +6507,7 @@ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010159The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -6563,7 +6563,7 @@ $ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd # CRYPTO_POLICY= -If the "CRYPTO_POLICY " is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. +If the "CRYPTO_POLICY " is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -6636,7 +6636,7 @@ $ sudo ls -lLR /<home directory>/<users home directory>/ If any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command: $ sudo grep smithj /etc/group -sa:x:100:juan,shelley,bob,smithj +sa:x:100:juan,shelley,bob,smithj smithj:x:521:smithj If any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020025RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -6692,7 +6692,7 @@ The session lock is implemented at the point where session activity can be deter Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -6715,7 +6715,7 @@ uint32 5 If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020032RHEL 8 must disable the user list at logon for graphical user interfaces.<VulnDiscussion>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to disable the user list at logon for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/02-login-screen @@ -6754,7 +6754,7 @@ Locking these settings from non-privileged users is crucial to maintaining a pro Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -6762,7 +6762,7 @@ $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: -/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. +/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. @@ -6790,7 +6790,7 @@ Locking these settings from non-privileged users is crucial to maintaining a pro Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -6798,7 +6798,7 @@ $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: -/org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding settings for graphical user interfaces. +/org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. @@ -6970,9 +6970,9 @@ Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset Active: active (running) If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040159All RHEL 8 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040159All RHEL 8 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. @@ -6998,7 +6998,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.default.accept_redirects = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7040,7 +7040,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.all.accept_source_route=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7082,7 +7082,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.default.accept_source_route=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7124,7 +7124,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.all.accept_redirects = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7166,7 +7166,7 @@ The sysctl --system command will load settings from all system configuration fil net.core.bpf_jit_harden = 2 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7217,9 +7217,9 @@ $ sudo mkdir /var/log/faillock Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the non-default faillock tally directory with the following command: -$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" +$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" -Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: +Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: $ sudo restorecon -R -v /var/log/faillockIf the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. @@ -7245,9 +7245,9 @@ SELinux, enforcing a targeted policy, will require any non-default tally directo Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the non-default faillock tally directory with the following command: -$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" +$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" -Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: +Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: $ sudo restorecon -R -v /var/log/faillockIf the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. @@ -7280,7 +7280,7 @@ Add or edit the following line in a system configuration file, in the "/etc/sysc net.ipv4.conf.all.forwarding=0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -7381,7 +7381,7 @@ Example output: Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16) AIDE found differences between database and filesystem!! ... - + Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with the following command: @@ -7389,7 +7389,7 @@ Check that the AIDE package is installed with the following command: aide-0.16-14.el8_5.1.x86_64 -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. +If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. @@ -7419,7 +7419,7 @@ Verify the operating system does not have nested "include" files or directories $ sudo grep -r include /etc/sudoers.d -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -7442,7 +7442,7 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value): -password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. +password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the system-auth file with the following command: @@ -7462,7 +7462,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. -Verify the operating system is configured to limit the "pwquality" retry option to 3. +Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the system-auth file with the following command: @@ -7482,7 +7482,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. -Verify the operating system is configured to limit the "pwquality" retry option to 3. +Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the password-auth file with the following command: @@ -7503,7 +7503,7 @@ retry = 3 Remove any configurations that conflict with the above value.Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. -Verify the operating system is configured to limit the "pwquality" retry option to 3. +Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option with the following command: @@ -7548,49 +7548,49 @@ A reboot is required for the changes to take effect.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-08-040400RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002265Configure RHEL 8 to prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Use the following command to map a new user to the "sysadm_u" role: - -$ sudo semanage login -a -s sysadm_u <username> - -Use the following command to map an existing user to the "sysadm_u" role: - -$ sudo semanage login -m -s sysadm_u <username> - -Use the following command to map a new user to the "staff_u" role: - -$ sudo semanage login -a -s staff_u <username> - -Use the following command to map an existing user to the "staff_u" role: - -$ sudo semanage login -m -s staff_u <username> - -Use the following command to map a new user to the "user_u" role: - -$ sudo semanage login -a -s user_u <username> - -Use the following command to map an existing user to the "user_u" role: - -$ sudo semanage login -m -s user_u <username>Verify the operating system prevents non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Obtain a list of authorized users (other than System Administrator and guest accounts) for the system. - -Check the list against the system by using the following command: - -$ sudo semanage login -l | more -Login Name SELinux User MLS/MCS Range Service -__default__ user_u s0-s0:c0.c1023 * -root unconfined_u s0-s0:c0.c1023 * -system_u system_u s0-s0:c0.c1023 * -joe staff_u s0-s0:c0.c1023 * - -All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. - -All authorized non-administrative users must be mapped to the "user_u" role. - +If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-08-040400RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002265Configure RHEL 8 to prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. + +Use the following command to map a new user to the "sysadm_u" role: + +$ sudo semanage login -a -s sysadm_u <username> + +Use the following command to map an existing user to the "sysadm_u" role: + +$ sudo semanage login -m -s sysadm_u <username> + +Use the following command to map a new user to the "staff_u" role: + +$ sudo semanage login -a -s staff_u <username> + +Use the following command to map an existing user to the "staff_u" role: + +$ sudo semanage login -m -s staff_u <username> + +Use the following command to map a new user to the "user_u" role: + +$ sudo semanage login -a -s user_u <username> + +Use the following command to map an existing user to the "user_u" role: + +$ sudo semanage login -m -s user_u <username>Verify the operating system prevents non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. + +Obtain a list of authorized users (other than System Administrator and guest accounts) for the system. + +Check the list against the system by using the following command: + +$ sudo semanage login -l | more +Login Name SELinux User MLS/MCS Range Service +__default__ user_u s0-s0:c0.c1023 * +root unconfined_u s0-s0:c0.c1023 * +system_u system_u s0-s0:c0.c1023 * +joe staff_u s0-s0:c0.c1023 * + +All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. + +All authorized non-administrative users must be mapped to the "user_u" role. + If they are not mapped in this way, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-040342RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. @@ -7605,4 +7605,4 @@ A reboot is required for the changes to take effect. \ No newline at end of file +If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, are missing, or commented out, this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml index 7c7a723a2..8b19a414f 100644 --- a/collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMicrosoft Windows Server 2022 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 09 Sep 20223.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-00-000010Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.<VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN22-00-000020Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. @@ -156,9 +156,9 @@ Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName -Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayNameSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-00-000120Windows Server 2022 must have a host-based intrusion detection or prevention system.<VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Install a HIDS or HIPS on each server.Determine whether there is a HIDS or HIPS on each server. +Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayNameSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-00-000120Windows Server 2022 must have a host-based intrusion detection or prevention system.<VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Install a HIDS or HIPS on each server.Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of ESS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of ESS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the Information System Security Officer (ISSO). @@ -469,11 +469,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF For each printer: -Select the printer and "Manage". +Select the printer and "Manage". -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -500,7 +500,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -940,7 +940,7 @@ For server core installations, run the following command: Secedit /export /areas USER_RIGHTS /cfg c:\path\UserRights.txt -The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well known SIDs for others. +The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well known SIDs for others. If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. @@ -1092,7 +1092,7 @@ Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>WN22-AU-000010Windows Server 2022 audit records must be backed up to a different system or media than the system being audited.<VulnDiscussion>Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001851Establish and implement a process for backing up log data to another system or media other than the system being audited.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. -If it has not, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>WN22-AU-000020Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001851Configure the system to, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly. +If it has not, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>WN22-AU-000020Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001851Configure the system to, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly. If they are not, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN22-AU-000030Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. @@ -1168,7 +1168,7 @@ The default permissions below satisfy this requirement: TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & ExecuteSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN22-AU-000070Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> Audit Credential Validation with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> Audit Credential Validation with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1182,7 +1182,7 @@ If the system does not audit the following, this is a finding. Account Logon >> Credential Validation - SuccessSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN22-AU-000080Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> Audit Credential Validation with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> Audit Credential Validation with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1198,7 +1198,7 @@ Account Logon >> Credential Validation - FailureDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Other Account Management Events with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Other Account Management Events with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1214,7 +1214,7 @@ Account Management >> Other Account Management Events - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Security Group Management with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Security Group Management with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1230,7 +1230,7 @@ Account Management >> Security Group Management - Success< User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit User Account Management with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit User Account Management with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1246,7 +1246,7 @@ Account Management >> User Account Management - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit User Account Management with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit User Account Management with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1260,7 +1260,7 @@ If the system does not audit the following, this is a finding. Account Management >> User Account Management - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN22-AU-000130Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Audit PNP Activity with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Audit PNP Activity with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1276,7 +1276,7 @@ Detailed Tracking >> Plug and Play Events - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Audit Process Creation with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Audit Process Creation with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1292,7 +1292,7 @@ Detailed Tracking >> Process Creation - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Account Lockout with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Account Lockout with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1308,7 +1308,7 @@ Logon/Logoff >> Account Lockout - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Account Lockout with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Account Lockout with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1322,7 +1322,7 @@ If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - FailureSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN22-AU-000170Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Group Membership with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Group Membership with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1336,7 +1336,7 @@ If the system does not audit the following, this is a finding. Logon/Logoff >> Group Membership - SuccessSRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>WN22-AU-000180Windows Server 2022 must be configured to audit logoff successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logoff with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logoff with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1352,7 +1352,7 @@ Logon/Logoff >> Logoff - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1368,7 +1368,7 @@ Logon/Logoff >> Logon - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1384,7 +1384,7 @@ Logon/Logoff >> Logon - FailureDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Special Logon with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Special Logon with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1426,7 +1426,7 @@ If the system does not audit the following, this is a finding. Object Access >> Other Object Access Events - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN22-AU-000240Windows Server 2022 must be configured to audit Object Access - Removable Storage successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Removable Storage with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Removable Storage with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1442,7 +1442,7 @@ Object Access >> Removable Storage - Success Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.SRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN22-AU-000250Windows Server 2022 must be configured to audit Object Access - Removable Storage failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Removable Storage with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Removable Storage with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1460,7 +1460,7 @@ Virtual machines or systems that use network attached storage may generate exces Audit Policy Change records events related to changes in audit policy. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Audit Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Audit Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1476,7 +1476,7 @@ Policy Change >> Audit Audit Policy Change - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Audit Policy Change with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Audit Policy Change with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1492,7 +1492,7 @@ Policy Change >> Audit Audit Policy Change - FailureDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Authentication Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Authentication Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1508,7 +1508,7 @@ Policy Change >> Authentication Policy Change - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Authorization Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Authorization Policy Change with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1524,7 +1524,7 @@ Policy Change >> Authorization Policy Change - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1540,7 +1540,7 @@ Privilege Use >> Sensitive Privilege Use - Success Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1556,7 +1556,7 @@ Privilege Use >> Sensitive Privilege Use - Failure IPsec Driver records events related to the IPsec Driver, such as dropped packets. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit IPsec Driver with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit IPsec Driver with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1572,7 +1572,7 @@ System >> IPsec Driver - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit IPsec Driver with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit IPsec Driver with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1588,7 +1588,7 @@ System >> IPsec Driver - FailureDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Other System Events with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Other System Events with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1604,7 +1604,7 @@ System >> Other System Events - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Other System Events with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Other System Events with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1620,7 +1620,7 @@ System >> Other System Events - FailureDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security State Chang with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security State Chang with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1636,7 +1636,7 @@ System >> Security State Change - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security System Extension with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security System Extension with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1652,7 +1652,7 @@ System >> Security System Extension - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit System Integrity with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit System Integrity with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1668,7 +1668,7 @@ System >> System Integrity - SuccessDPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit System Integrity with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit System Integrity with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1680,11 +1680,11 @@ Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. -System >> System Integrity - FailureSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-CC-000010Windows Server 2022 must prevent the display of slide shows on the lock screen.<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> Prevent enabling lock screen slide show to "Enabled".Verify the registry value below. +System >> System Integrity - FailureSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-CC-000010Windows Server 2022 must prevent the display of slide shows on the lock screen.<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> Prevent enabling lock screen slide show to "Enabled".Verify the registry value below. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -1714,7 +1714,7 @@ Value: 0x00000002 (2)If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -1724,7 +1724,7 @@ Value: 0x00000002 (2)If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -1773,7 +1773,7 @@ Additional entries would not be a finding.DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> Include command line in process creation events to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -1860,7 +1860,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F- Value Name: NoGPOListChanges Type: REG_DWORD -Value: 0x00000000 (0)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-CC-000150Windows Server 2022 downloading print driver packages over HTTP must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +Value: 0x00000000 (0)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-CC-000150Windows Server 2022 downloading print driver packages over HTTP must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> Turn off downloading of print drivers over HTTP to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: @@ -1882,7 +1882,7 @@ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-CC-000170Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.<VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> Do not display network selection UI to "Enabled".Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -2180,7 +2180,7 @@ Value Name: SafeForScripting Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>WN22-CC-000450Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.<VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> Sign-in and lock last interactive user automatically after a restart to "Disabled".Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -2190,7 +2190,7 @@ Value: 0x00000001 (1)DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> Turn on PowerShell Script Block Logging to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -2264,7 +2264,7 @@ Value Name: EnableTranscripting Value Type: REG_DWORD Value: 1SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN22-DC-000010Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. -System administrators must log on to systems using only accounts with the minimum level of authority necessary. +System administrators must log on to systems using only accounts with the minimum level of authority necessary. Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002235Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. @@ -2284,7 +2284,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -2300,7 +2300,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -2333,7 +2333,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -2349,7 +2349,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -2416,7 +2416,7 @@ Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. -If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. +If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: @@ -2436,7 +2436,7 @@ NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) -(RX) - Read & execute +(RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN22-DC-000090Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. @@ -2478,7 +2478,7 @@ If any standard user accounts or groups have "Allow" permissions greater than "R Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the Information System Security Officer (ISSO). -The default permissions noted below satisfy this requirement. +The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. @@ -2658,7 +2658,7 @@ If an Information System Security Officer (ISSO)-approved distributed administra If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). -If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN22-DC-000120Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files.<VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. +If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN22-DC-000120Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files.<VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001090Move shares used to store files owned by users to a different logical partition than the directory server data files.This applies to domain controllers. It is NA for other systems. @@ -2676,7 +2676,7 @@ Note the logical drive(s) or file system partition for any organization-created Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) must not be ignored. -If user shares are located on the same logical partition as the directory server data files, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-DC-000130Windows Server 2022 domain controllers must run on a machine dedicated to that function.<VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. +If user shares are located on the same logical partition as the directory server data files, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN22-DC-000130Windows Server 2022 domain controllers must run on a machine dedicated to that function.<VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, nonstandard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000381Remove additional roles or applications such as web, database, and email from the domain controller.This applies to domain controllers, it is NA for other systems. @@ -2694,7 +2694,7 @@ Determine if any additional server roles are installed. A basic domain controlle - DNS Server - File and Storage Services -If any roles not requiring installation on a domain controller are installed, this is a finding. +If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. @@ -2745,7 +2745,7 @@ If attribute data is displayed, anonymous access is enabled to the domain naming The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN22-DC-000160Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.<VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. @@ -2784,7 +2784,7 @@ At the "server connections:" prompt, enter "connect to server [host-name]" At the "server connections:" prompt, enter "q". -At the "ldap policy:" prompt, enter "show values". +At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. @@ -2795,11 +2795,11 @@ Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). -dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). -If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000170Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000170Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2879,7 +2879,7 @@ Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object -Applies to - Descendant Organization Unit ObjectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000180Windows Server 2022 Active Directory Domain object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +Applies to - Descendant Organization Unit ObjectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000180Windows Server 2022 Active Directory Domain object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2981,7 +2981,7 @@ Principal - Everyone Access - Special Inherited from - None Applies to - This object only -(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000190Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000190Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -3053,7 +3053,7 @@ Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) -Inherited from - (CN of domain)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000200Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +Inherited from - (CN of domain)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000200Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -3142,7 +3142,7 @@ Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000210Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000210Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -3220,7 +3220,7 @@ Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000220Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. +Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN22-DC-000220Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -3298,7 +3298,7 @@ Computer Account Management records events such as creating, changing, deleting, Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Computer Account Management with Success selected.This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3316,7 +3316,7 @@ Audit Directory Service Access records events related to users accessing an Acti Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Access with Success selected.This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3334,7 +3334,7 @@ Audit Directory Service Access records events related to users accessing an Acti Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Access with "Failure" selected.This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3352,7 +3352,7 @@ Audit Directory Service Changes records events related to changes made to object Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Changes with "Success" selected.This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3370,7 +3370,7 @@ Audit Directory Service Changes records events related to changes made to object Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Changes with "Failure" selected.This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN22-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3428,7 +3428,7 @@ If the "Issued By" field of the PKI certificate being used by the domain control If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. -There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. @@ -3498,7 +3498,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity @@ -3508,13 +3508,13 @@ Value: 0x00000002 (2)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN22-DC-000340Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and +Value: 0x00000000 (0)</check-content></check></Rule></Group><Group id="V-254418"><title>SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN22-DC-000340Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access this computer from the network" right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Access this computer from the network to include only the following accounts or groups: @@ -3769,7 +3769,7 @@ Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. -The system will automatically change this to a system-generated complex password.This requirement is applicable to domain controllers; it is NA for other systems. +The system will automatically change this to a system-generated complex password.This requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". @@ -3783,7 +3783,7 @@ For domain-joined member servers, the Domain Admins group must be replaced by a Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002235Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. -For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. +For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts.This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. @@ -3847,7 +3847,7 @@ Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ -Value: 4 (or less)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN22-MS-000060Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.<VulnDiscussion>The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002235Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict clients allowed to make remote calls to SAM. +Value: 4 (or less)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN22-MS-000060Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.<VulnDiscussion>The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002235Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict clients allowed to make remote calls to SAM. Select "Edit Security" to configure the "Security descriptor:". @@ -4160,7 +4160,7 @@ The use of Microsoft Local Administrator Password Solution (LAPS) or similar pro .... Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions must be supplied. .... -Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. +Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. .... Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. .... @@ -4211,7 +4211,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 @@ -4285,7 +4285,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US @@ -4351,7 +4351,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US @@ -4411,7 +4411,7 @@ Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "EnableGuestAccount" equals "1" in the file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000020Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies must prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Limit local account use of blank passwords to console logon only to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -4443,7 +4443,7 @@ Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewGuestName" is not something other than "Guest" in the file, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>WN22-SO-000050Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000169Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -4453,7 +4453,7 @@ Value: 0x00000001 (1)DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally encrypt or sign secure channel data (always) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -4481,7 +4481,7 @@ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)SRG-OS-000379-GPOS-00164<GroupDescription></GroupDescription>WN22-SO-000090Windows Server 2022 computer account password must not be prevented from being reset.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001967Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Disable machine account password changes to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -4493,7 +4493,7 @@ Configure the policy value for Computer Configuration >> Windows Settings If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -4503,19 +4503,19 @@ Value: 0x0000001e (30) (or less, but not 0)DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Require strong (Windows 2000 or Later) session key to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>WN22-SO-000120Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000056CCI-000057CCI-000060Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Machine inactivity limit to "900" seconds or less, excluding "0" which is effectively disabled.If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -4539,7 +4539,7 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -4561,11 +4561,11 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>WN22-SO-000140Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN22-SO-000150.If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -4573,15 +4573,15 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN22-SO-000150. Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000150Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Smart card removal behavior to "Lock Workstation" or "Force Logoff".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: scremoveoption Value Type: REG_SZ @@ -4591,7 +4591,7 @@ If configuring this on servers causes issues, such as terminating users' remote Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network client: Digitally sign communications (always) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -4601,7 +4601,7 @@ Value: 0x00000001 (1)DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network client: Digitally sign communications (if server agrees) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -4619,7 +4619,7 @@ Value: 0x00000000 (0)CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network server: Digitally sign communications (always) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -4629,7 +4629,7 @@ Value: 0x00000001 (1)DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network server: Digitally sign communications (if client agrees) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -4643,7 +4643,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000220Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -4651,7 +4651,7 @@ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN22-SO-000230Windows Server 2022 must not allow anonymous enumeration of shares.<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts and shares to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -4659,7 +4659,7 @@ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000240Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.<VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Let Everyone permissions apply to anonymous users to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -4667,7 +4667,7 @@ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0x00000000 (0)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN22-SO-000250Windows Server 2022 must restrict anonymous access to Named Pipes and Shares.<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict anonymous access to Named Pipes and Shares to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -4715,7 +4715,7 @@ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>WN22-SO-000300Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.<VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000196Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Do not store LAN Manager hash value on next password change to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -4731,7 +4731,7 @@ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000320Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.<VulnDiscussion>This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LDAP client signing requirements to "Negotiate signing" at a minimum.If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -4739,7 +4739,7 @@ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000330Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -4747,7 +4747,7 @@ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000340Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -4776,10 +4776,10 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise the browser will not be able to connect to a secure site.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-SO-000370Windows Server 2022 default permissions of global system objects must be strengthened.<VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing nonadministrative users to read shared objects but not to modify shared objects they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -4791,7 +4791,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -4801,7 +4801,7 @@ Value: 0x00000001 (1) \ No newline at end of file +The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). diff --git a/collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py b/collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py index 039e5b23f..6e06be0c1 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py +++ b/collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py @@ -1,16 +1,16 @@ #!/usr/bin/env python -from ansible.module_utils.basic import * # noqa +from ansible.module_utils.basic import * # noqa -DOCUMENTATION = ''' +DOCUMENTATION = """ --- module: scan_packages short_description: Return installed packages information as fact data description: - Return information about installed packages as fact data -''' +""" -EXAMPLES = ''' +EXAMPLES = """ # Example fact output: # host | success >> { # "ansible_facts": { @@ -34,21 +34,23 @@ # "name": "gcc-4.8-base" # } # ] -''' +""" def rpm_package_list(): import rpm + trans_set = rpm.TransactionSet() installed_packages = [] for package in trans_set.dbMatch(): package_details = { - 'name':package[rpm.RPMTAG_NAME], - 'version':package[rpm.RPMTAG_VERSION], - 'release':package[rpm.RPMTAG_RELEASE], - 'epoch':package[rpm.RPMTAG_EPOCH], - 'arch':package[rpm.RPMTAG_ARCH], - 'source':'rpm' } + "name": package[rpm.RPMTAG_NAME], + "version": package[rpm.RPMTAG_VERSION], + "release": package[rpm.RPMTAG_RELEASE], + "epoch": package[rpm.RPMTAG_EPOCH], + "arch": package[rpm.RPMTAG_ARCH], + "source": "rpm", + } if installed_packages == []: installed_packages = [package_details] else: @@ -58,16 +60,20 @@ def rpm_package_list(): def deb_package_list(): import apt + apt_cache = apt.Cache() installed_packages = [] - apt_installed_packages = [pk for pk in apt_cache.keys() if apt_cache[pk].is_installed] + apt_installed_packages = [ + pk for pk in apt_cache.keys() if apt_cache[pk].is_installed + ] for package in apt_installed_packages: ac_pkg = apt_cache[package].installed package_details = { - 'name':package, - 'version':ac_pkg.version, - 'arch':ac_pkg.architecture, - 'source':'apt'} + "name": package, + "version": ac_pkg.version, + "arch": ac_pkg.architecture, + "source": "apt", + } if installed_packages == []: installed_packages = [package_details] else: @@ -76,13 +82,11 @@ def deb_package_list(): def main(): - module = AnsibleModule( - argument_spec = dict(os_family=dict(required=True)) - ) - ans_os = module.params['os_family'] - if ans_os in ('RedHat', 'Suse', 'openSUSE Leap'): + module = AnsibleModule(argument_spec=dict(os_family=dict(required=True))) + ans_os = module.params["os_family"] + if ans_os in ("RedHat", "Suse", "openSUSE Leap"): packages = rpm_package_list() - elif ans_os == 'Debian': + elif ans_os == "Debian": packages = deb_package_list() else: packages = None @@ -94,4 +98,4 @@ def main(): module.exit_json(**results) -main() \ No newline at end of file +main() diff --git a/collections/ansible_collections/demo/patching/plugins/modules/scan_services.py b/collections/ansible_collections/demo/patching/plugins/modules/scan_services.py index c4de33c2c..3a1a7e470 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/scan_services.py +++ b/collections/ansible_collections/demo/patching/plugins/modules/scan_services.py @@ -1,46 +1,47 @@ #!/usr/bin/env python import re -from ansible.module_utils.basic import * # noqa +from ansible.module_utils.basic import * # noqa -DOCUMENTATION = ''' +DOCUMENTATION = """ --- module: scan_services short_description: Return service state information as fact data description: - Return service state information as fact data for various service management utilities -''' +""" -EXAMPLES = ''' +EXAMPLES = """ +--- - monit: scan_services + # Example fact output: # host | success >> { -# "ansible_facts": { -# "services": { -# "network": { -# "source": "sysv", -# "state": "running", -# "name": "network" -# }, -# "arp-ethers.service": { -# "source": "systemd", -# "state": "stopped", -# "name": "arp-ethers.service" -# } -# } +# "ansible_facts": { +# "services": { +# "network": { +# "source": "sysv", +# "state": "running", +# "name": "network" +# }, +# "arp-ethers.service": { +# "source": "systemd", +# "state": "stopped", +# "name": "arp-ethers.service" +# } +# } # } -''' +# } +""" class BaseService(object): - def __init__(self, module): self.module = module self.incomplete_warning = False class ServiceScanService(BaseService): - def gather_services(self): services = {} service_path = self.module.get_bin_path("service") @@ -51,94 +52,125 @@ def gather_services(self): # sysvinit if service_path is not None and chkconfig_path is None: - rc, stdout, stderr = self.module.run_command("%s --status-all 2>&1 | grep -E \"\\[ (\\+|\\-) \\]\"" % service_path, use_unsafe_shell=True) + rc, stdout, stderr = self.module.run_command( + '%s --status-all 2>&1 | grep -E "\\[ (\\+|\\-) \\]"' % service_path, + use_unsafe_shell=True, + ) for line in stdout.split("\n"): line_data = line.split() if len(line_data) < 4: - continue # Skipping because we expected more data + continue # Skipping because we expected more data service_name = " ".join(line_data[3:]) if line_data[1] == "+": service_state = "running" else: service_state = "stopped" - services[service_name] = {"name": service_name, "state": service_state, "source": "sysv"} + services[service_name] = { + "name": service_name, + "state": service_state, + "source": "sysv", + } # Upstart if initctl_path is not None and chkconfig_path is None: - p = re.compile('^\s?(?P.*)\s(?P\w+)\/(?P\w+)(\,\sprocess\s(?P[0-9]+))?\s*$') + p = re.compile( + "^\s?(?P.*)\s(?P\w+)\/(?P\w+)(\,\sprocess\s(?P[0-9]+))?\s*$" + ) rc, stdout, stderr = self.module.run_command("%s list" % initctl_path) - real_stdout = stdout.replace("\r","") + real_stdout = stdout.replace("\r", "") for line in real_stdout.split("\n"): m = p.match(line) if not m: continue - service_name = m.group('name') - service_goal = m.group('goal') - service_state = m.group('state') - if m.group('pid'): - pid = m.group('pid') + service_name = m.group("name") + service_goal = m.group("goal") + service_state = m.group("state") + if m.group("pid"): + pid = m.group("pid") else: pid = None # NOQA - payload = {"name": service_name, "state": service_state, "goal": service_goal, "source": "upstart"} + payload = { + "name": service_name, + "state": service_state, + "goal": service_goal, + "source": "upstart", + } services[service_name] = payload # RH sysvinit elif chkconfig_path is not None: - #print '%s --status-all | grep -E "is (running|stopped)"' % service_path + # print '%s --status-all | grep -E "is (running|stopped)"' % service_path p = re.compile( - '(?P.*?)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+' - '[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)') - rc, stdout, stderr = self.module.run_command('%s' % chkconfig_path, use_unsafe_shell=True) + "(?P.*?)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+" + "[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)\s+[0-9]:(?Pon|off)" + ) + rc, stdout, stderr = self.module.run_command( + "%s" % chkconfig_path, use_unsafe_shell=True + ) # Check for special cases where stdout does not fit pattern match_any = False - for line in stdout.split('\n'): + for line in stdout.split("\n"): if p.match(line): match_any = True if not match_any: - p_simple = re.compile('(?P.*?)\s+(?Pon|off)') + p_simple = re.compile("(?P.*?)\s+(?Pon|off)") match_any = False - for line in stdout.split('\n'): + for line in stdout.split("\n"): if p_simple.match(line): match_any = True if match_any: # Try extra flags " -l --allservices" needed for SLES11 - rc, stdout, stderr = self.module.run_command('%s -l --allservices' % chkconfig_path, use_unsafe_shell=True) - elif '--list' in stderr: + rc, stdout, stderr = self.module.run_command( + "%s -l --allservices" % chkconfig_path, use_unsafe_shell=True + ) + elif "--list" in stderr: # Extra flag needed for RHEL5 - rc, stdout, stderr = self.module.run_command('%s --list' % chkconfig_path, use_unsafe_shell=True) - for line in stdout.split('\n'): + rc, stdout, stderr = self.module.run_command( + "%s --list" % chkconfig_path, use_unsafe_shell=True + ) + for line in stdout.split("\n"): m = p.match(line) if m: - service_name = m.group('service') - service_state = 'stopped' - if m.group('rl3') == 'on': - rc, stdout, stderr = self.module.run_command('%s %s status' % (service_path, service_name), use_unsafe_shell=True) + service_name = m.group("service") + service_state = "stopped" + if m.group("rl3") == "on": + rc, stdout, stderr = self.module.run_command( + "%s %s status" % (service_path, service_name), + use_unsafe_shell=True, + ) service_state = rc if rc in (0,): - service_state = 'running' - #elif rc in (1,3): + service_state = "running" + # elif rc in (1,3): else: - if 'root' in stderr or 'permission' in stderr.lower() or 'not in sudoers' in stderr.lower(): + if ( + "root" in stderr + or "permission" in stderr.lower() + or "not in sudoers" in stderr.lower() + ): self.incomplete_warning = True continue else: - service_state = 'stopped' - service_data = {"name": service_name, "state": service_state, "source": "sysv"} + service_state = "stopped" + service_data = { + "name": service_name, + "state": service_state, + "source": "sysv", + } services[service_name] = service_data return services class SystemctlScanService(BaseService): - def systemd_enabled(self): # Check if init is the systemd command, using comm as cmdline could be symlink try: - f = open('/proc/1/comm', 'r') + f = open("/proc/1/comm", "r") except IOError: # If comm doesn't exist, old kernel, no systemd return False for line in f: - if 'systemd' in line: + if "systemd" in line: return True return False @@ -146,10 +178,16 @@ def gather_services(self): services = {} if not self.systemd_enabled(): return None - systemctl_path = self.module.get_bin_path("systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"]) + systemctl_path = self.module.get_bin_path( + "systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"] + ) if systemctl_path is None: return None - rc, stdout, stderr = self.module.run_command("%s list-unit-files --type=service | tail -n +2 | head -n -2" % systemctl_path, use_unsafe_shell=True) + rc, stdout, stderr = self.module.run_command( + "%s list-unit-files --type=service | tail -n +2 | head -n -2" + % systemctl_path, + use_unsafe_shell=True, + ) for line in stdout.split("\n"): line_data = line.split() if len(line_data) != 2: @@ -158,12 +196,16 @@ def gather_services(self): state_val = "running" else: state_val = "stopped" - services[line_data[0]] = {"name": line_data[0], "state": state_val, "source": "systemd"} + services[line_data[0]] = { + "name": line_data[0], + "state": state_val, + "source": "systemd", + } return services def main(): - module = AnsibleModule(argument_spec = dict()) + module = AnsibleModule(argument_spec=dict()) service_modules = (ServiceScanService, SystemctlScanService) all_services = {} incomplete_warning = False @@ -175,12 +217,17 @@ def main(): if svcmod.incomplete_warning: incomplete_warning = True if len(all_services) == 0: - results = dict(skipped=True, msg="Failed to find any services. Sometimes this is due to insufficient privileges.") + results = dict( + skipped=True, + msg="Failed to find any services. Sometimes this is due to insufficient privileges.", + ) else: results = dict(ansible_facts=dict(services=all_services)) if incomplete_warning: - results['msg'] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges." + results[ + "msg" + ] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges." module.exit_json(**results) -main() \ No newline at end of file +main() diff --git a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1 b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1 index 0062f314a..2ab3fdbec 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1 +++ b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1 @@ -63,4 +63,4 @@ $result = New-Object psobject @{ changed = $false } -Exit-Json $result; \ No newline at end of file +Exit-Json $result; diff --git a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py index 328181887..e83e0f842 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py +++ b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py @@ -1,31 +1,34 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- +!/usr/bin/env python + -*- coding: utf-8 -*- -DOCUMENTATION = ''' +DOCUMENTATION = """ --- module: win_scan_packages short_description: Return Package state information as fact data description: - Return Package state information as fact data for various Packages -''' +""" -EXAMPLES = ''' +EXAMPLES = """ - monit: win_scan_packages -# Example fact output: -# host | success >> { -# "ansible_facts": { -# "packages": [ - { - "name": "Mozilla Firefox 76.0.1 (x64 en-US)", - "version": "76.0.1", - "publisher": "Mozilla", - "arch": "Win64" - }, - { - "name": "Mozilla Maintenance Service", - "version": "76.0.1", - "publisher": "Mozilla", - "arch": "Win64" - }, + +# Example fact output: +# host | success >> { +# "ansible_facts": { +# "packages": [ +# { +# "name": "Mozilla Firefox 76.0.1 (x64 en-US)", +# "version": "76.0.1", +# "publisher": "Mozilla", +# "arch": "Win64" +# }, +# { +# "name": "Mozilla Maintenance Service", +# "version": "76.0.1", +# "publisher": "Mozilla", +# "arch": "Win64" +# } +# ] # } -''' \ No newline at end of file +# } +""" diff --git a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1 b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1 index 4a5f840bd..3de8ac4c9 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1 +++ b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1 @@ -27,4 +27,4 @@ $result = New-Object psobject @{ changed = $false } -Exit-Json $result; \ No newline at end of file +Exit-Json $result; diff --git a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py index caae37d58..a25ac9f2f 100644 --- a/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py +++ b/collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py @@ -1,34 +1,37 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -DOCUMENTATION = ''' +DOCUMENTATION = """ --- module: win_scan_services short_description: Return service state information as fact data description: - Return service state information as fact data for various service management utilities -''' +""" -EXAMPLES = ''' +EXAMPLES = """ - monit: win_scan_services + # Example fact output: # host | success >> { -# "ansible_facts": { -# "services": [ - { - "name": "AllJoyn Router Service", - "win_svc_name": "AJRouter", - "state": "stopped" - }, - { - "name": "Application Layer Gateway Service", - "win_svc_name": "ALG", - "state": "stopped" - }, - { - "name": "Application Host Helper Service", - "win_svc_name": "AppHostSvc", - "state": "running" - }, +# "ansible_facts": { +# "services": [ +# { +# "name": "AllJoyn Router Service", +# "win_svc_name": "AJRouter", +# "state": "stopped" +# }, +# { +# "name": "Application Layer Gateway Service", +# "win_svc_name": "ALG", +# "state": "stopped" +# }, +# { +# "name": "Application Host Helper Service", +# "win_svc_name": "AppHostSvc", +# "state": "running" +# } +# ] # } -''' \ No newline at end of file +# } +""" diff --git a/collections/ansible_collections/demo/patching/roles/build_report_network/README.md b/collections/ansible_collections/demo/patching/roles/build_report_network/README.md index a8b311ae3..6b6dadb44 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_network/README.md +++ b/collections/ansible_collections/demo/patching/roles/build_report_network/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Network Report import_role: name: shadowman.reports.build_report_network - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml b/collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml index a14fdcfdd..b249dfc86 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml @@ -1,12 +1,12 @@ --- -file_path: "{{ web_path | default('/var/www/html/reports') }}" -vendor: +file_path: "{{ web_path | default('/var/www/html/reports') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +vendor: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way ios: &my_value 'Cisco' nxos: *my_value iosxr: *my_value junos: "Juniper" eos: "Arista" -transport: +transport: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way cliconf: "Network_CLI" netconf: "NETCONF" nxapi: "NX-API" diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/README.md b/collections/ansible_collections/demo/patching/roles/build_report_windows/README.md index 93d6df474..4e6f320e1 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/README.md +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Windows Report import_role: name: shadowman.reports.build_report_windows - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml index 667052d47..6cb18f4da 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml @@ -1,2 +1,2 @@ --- -detailedreport: true +detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css b/collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css index f58d18f1b..afa6382d7 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } @@ -199,4 +199,4 @@ table.net_info { p.internal_label { color: #000000; -} \ No newline at end of file +} diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2 index 6d504d04f..7a7a7dd7d 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2 @@ -1,5 +1,5 @@ - +
@@ -12,4 +12,4 @@ />
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2 b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2 index f290897b3..8d64895fd 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2 +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2 @@ -26,4 +26,4 @@
- \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2 index 96b5f3d29..e343a2459 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2 @@ -79,7 +79,7 @@ collapsible: true
-

+

{{ hostvars[windows_host]['inventory_hostname'].split('.')[0] }}

{% if detailedreport == 'True' %} diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2 b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2 index b443161c4..9b77a0df2 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2 +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2 @@ -26,4 +26,4 @@ - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows/vars/main.yml b/collections/ansible_collections/demo/patching/roles/build_report_windows/vars/main.yml index 491f36ab1..d4bb63a35 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: /var/www/html +file_path: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/README.md b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/README.md index dec815525..b0e1104b8 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/README.md +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/README.md @@ -32,5 +32,5 @@ The role can be used to create an html patching report on any number of Linux ho - name: Run Windows Patch Report import_role: name: shadowman.reports.build_report_windows_patch - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/defaults/main.yml index 8aa09a6b9..19e0bedb7 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/defaults/main.yml @@ -1,4 +1,4 @@ --- -email_from: tower@shadowman.dev -to_emails: alex@shadowman.dev,tower@shadowman.dev -to_emails_list: "{{ to_emails.split(',') }}" +email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/files/css/main.css b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/files/css/main.css index dfeb43507..edbd14069 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/files/css/main.css +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/files/css/main.css @@ -3,32 +3,32 @@ p.hostname { font-weight: bolder; font-size: large; } - + #subtable { background: #ebebeb; margin: 0px; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -36,11 +36,11 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; } - + table { border-collapse: separate; background:#fff; @@ -48,11 +48,11 @@ p.hostname { margin:50px auto; @include box-shadow(0px 0px 5px rgba(0,0,0,0.3)); } - + thead { @include border-radius(5px); } - + thead th { font-family: 'Patua One', monospace; font-size:16px; @@ -63,16 +63,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-family: 'Open Sans', sans-serif; font-weight:400; @@ -80,13 +80,13 @@ p.hostname { font-size:13px; padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; - + } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -96,16 +96,16 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; - } \ No newline at end of file + } diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/templates/report.j2 index 058b0dbae..fff7f7b50 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/templates/report.j2 @@ -112,4 +112,4 @@ function downloadCSVFile(csv_data) { } - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/vars/main.yml b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/vars/main.yml index 491f36ab1..d4bb63a35 100644 --- a/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/build_report_windows_patch/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: /var/www/html +file_path: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/patch_linux/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/patch_linux/defaults/main.yml index aa8558fcb..8dcd72357 100644 --- a/collections/ansible_collections/demo/patching/roles/patch_linux/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/patch_linux/defaults/main.yml @@ -1,7 +1,7 @@ --- -exclude_packages: +exclude_packages: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - authselect - authselect-compat - authselect-libs - fprintd-pam -allow_reboot: true +allow_reboot: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/patch_windows/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/patch_windows/defaults/main.yml index d2af09e2d..064352476 100644 --- a/collections/ansible_collections/demo/patching/roles/patch_windows/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/patch_windows/defaults/main.yml @@ -1,5 +1,5 @@ --- -win_update_categories: +win_update_categories: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - Application - Connectors - CriticalUpdates @@ -11,4 +11,4 @@ win_update_categories: - Tools - UpdateRollups - Updates -allow_reboot: true +allow_reboot: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/README.md b/collections/ansible_collections/demo/patching/roles/report_linux/README.md index 88fa95c66..85c27df7b 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_linux/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Linux Report import_role: name: shadowman.reports.build_report_linux - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_linux/defaults/main.yml index 667052d47..6cb18f4da 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_linux/defaults/main.yml @@ -1,2 +1,2 @@ --- -detailedreport: true +detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/files/css/new.css b/collections/ansible_collections/demo/patching/roles/report_linux/files/css/new.css index f58d18f1b..afa6382d7 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/report_linux/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } @@ -199,4 +199,4 @@ table.net_info { p.internal_label { color: #000000; -} \ No newline at end of file +} diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/report_linux/templates/header.j2 index 6d504d04f..7a7a7dd7d 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_linux/templates/header.j2 @@ -1,5 +1,5 @@ - +
@@ -12,4 +12,4 @@ />
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/templates/packages.j2 b/collections/ansible_collections/demo/patching/roles/report_linux/templates/packages.j2 index 86a842df5..63b73e055 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/templates/packages.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_linux/templates/packages.j2 @@ -28,4 +28,4 @@
- \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_linux/templates/report.j2 index 779740b15..d031121ec 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_linux/templates/report.j2 @@ -81,7 +81,7 @@ collapsible: true
-

+

{{ hostvars[linux_host]['inventory_hostname'].split('.')[0] }}

{% if detailedreport == 'True' %} diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/templates/services.j2 b/collections/ansible_collections/demo/patching/roles/report_linux/templates/services.j2 index b765b5e07..0a8daa66f 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/templates/services.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_linux/templates/services.j2 @@ -27,4 +27,4 @@ - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_linux/vars/main.yml index 6fe0b79a1..dbfdd22b8 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_linux/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: /var/www/html/reports +file_path: /var/www/html/reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_linux_patching/README.md b/collections/ansible_collections/demo/patching/roles/report_linux_patching/README.md index b7e2fe249..1aabd4f18 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux_patching/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_linux_patching/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Windows Report import_role: name: shadowman.reports.build_report_linux_patch - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_linux_patching/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_linux_patching/defaults/main.yml index 8aa09a6b9..19e0bedb7 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux_patching/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_linux_patching/defaults/main.yml @@ -1,4 +1,4 @@ --- -email_from: tower@shadowman.dev -to_emails: alex@shadowman.dev,tower@shadowman.dev -to_emails_list: "{{ to_emails.split(',') }}" +email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_linux_patching/files/css/main.css b/collections/ansible_collections/demo/patching/roles/report_linux_patching/files/css/main.css index dfeb43507..edbd14069 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux_patching/files/css/main.css +++ b/collections/ansible_collections/demo/patching/roles/report_linux_patching/files/css/main.css @@ -3,32 +3,32 @@ p.hostname { font-weight: bolder; font-size: large; } - + #subtable { background: #ebebeb; margin: 0px; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -36,11 +36,11 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; } - + table { border-collapse: separate; background:#fff; @@ -48,11 +48,11 @@ p.hostname { margin:50px auto; @include box-shadow(0px 0px 5px rgba(0,0,0,0.3)); } - + thead { @include border-radius(5px); } - + thead th { font-family: 'Patua One', monospace; font-size:16px; @@ -63,16 +63,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-family: 'Open Sans', sans-serif; font-weight:400; @@ -80,13 +80,13 @@ p.hostname { font-size:13px; padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; - + } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -96,16 +96,16 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; - } \ No newline at end of file + } diff --git a/collections/ansible_collections/demo/patching/roles/report_linux_patching/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_linux_patching/templates/report.j2 index 01df73bd7..1d7a8404c 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux_patching/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_linux_patching/templates/report.j2 @@ -117,4 +117,4 @@ function downloadCSVFile(csv_data) { } - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_linux_patching/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_linux_patching/vars/main.yml index 6fe0b79a1..dbfdd22b8 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux_patching/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_linux_patching/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: /var/www/html/reports +file_path: /var/www/html/reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css b/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css index 3266a46b3..2340b05aa 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #000000; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 index 6d504d04f..7a7a7dd7d 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 @@ -1,5 +1,5 @@ - +
@@ -12,4 +12,4 @@ />
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 index 201d93020..9d60470e3 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 @@ -26,10 +26,10 @@

-
+
- {{ page }} + {{ page }} {% endfor %} diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 index 56904378d..5feb50914 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 @@ -26,10 +26,10 @@

-
+ -
{{ page }} + {{ page }} {% endfor %} diff --git a/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml b/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml index b4d35737d..fa9d6813f 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml +++ b/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml @@ -1,3 +1,3 @@ --- -doc_root: /var/www/html -reports_dir: reports +doc_root: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +reports_dir: reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml b/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml index ac4e6757d..59bb2e2fe 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml +++ b/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml @@ -1,3 +1,3 @@ --- -doc_root: C:\Inetpub\wwwroot -reports_dir: reports +doc_root: C:\Inetpub\wwwroot # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +reports_dir: reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/README.md b/collections/ansible_collections/demo/patching/roles/report_windows/README.md index 93d6df474..4e6f320e1 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_windows/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Windows Report import_role: name: shadowman.reports.build_report_windows - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml index 667052d47..8b5e8186a 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml @@ -1,2 +1,2 @@ --- -detailedreport: true +detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css b/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css index f58d18f1b..afa6382d7 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } @@ -199,4 +199,4 @@ table.net_info { p.internal_label { color: #000000; -} \ No newline at end of file +} diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 index 6d504d04f..7a7a7dd7d 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 @@ -1,5 +1,5 @@ - +
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 index f290897b3..8d64895fd 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 @@ -26,4 +26,4 @@
- \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 index 7b9ada550..f3d69625d 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 @@ -79,7 +79,7 @@ collapsible: true
-

+

{{ hostvars[windows_host]['inventory_hostname'].split('.')[0] }}

{% if detailedreport == 'True' %} diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 index b443161c4..9b77a0df2 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 @@ -26,4 +26,4 @@ - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml index 4c3fa1455..fbc23701a 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: C:\Inetpub\wwwroot\reports +file_path: C:\Inetpub\wwwroot\reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md b/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md index dec815525..b0e1104b8 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md @@ -32,5 +32,5 @@ The role can be used to create an html patching report on any number of Linux ho - name: Run Windows Patch Report import_role: name: shadowman.reports.build_report_windows_patch - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml index 8aa09a6b9..19e0bedb7 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml @@ -1,4 +1,4 @@ --- -email_from: tower@shadowman.dev -to_emails: alex@shadowman.dev,tower@shadowman.dev -to_emails_list: "{{ to_emails.split(',') }}" +email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css b/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css index dfeb43507..edbd14069 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css @@ -3,32 +3,32 @@ p.hostname { font-weight: bolder; font-size: large; } - + #subtable { background: #ebebeb; margin: 0px; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -36,11 +36,11 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; } - + table { border-collapse: separate; background:#fff; @@ -48,11 +48,11 @@ p.hostname { margin:50px auto; @include box-shadow(0px 0px 5px rgba(0,0,0,0.3)); } - + thead { @include border-radius(5px); } - + thead th { font-family: 'Patua One', monospace; font-size:16px; @@ -63,16 +63,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-family: 'Open Sans', sans-serif; font-weight:400; @@ -80,13 +80,13 @@ p.hostname { font-size:13px; padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; - + } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -96,16 +96,16 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; - } \ No newline at end of file + } diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 index 3da03ec3f..825f37078 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 @@ -110,4 +110,4 @@ function downloadCSVFile(csv_data) { } - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml index 4c3fa1455..6ec950ade 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: C:\Inetpub\wwwroot\reports +file_path: C:\Inetpub\wwwroot\reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml b/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml index d2bf1af80..b42aa2f43 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml @@ -1,5 +1,5 @@ --- -instance_name: "{{ inventory_hostname | regex_replace('_', '-') }}" -activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}" -rex_user: root # "{{ ansible_user }}" -force_register: true +instance_name: "{{ inventory_hostname | regex_replace('_', '-') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +rex_user: root # "{{ ansible_user }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +force_register: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml index 07c3a0e9c..4f1e0d233 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml @@ -1,4 +1,4 @@ --- -rhsm_enabled_repos: +rhsm_enabled_repos: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - rhel-7-server-rpms # - rhel-7-server-satellite-maintenance-6.11-rpms diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml index eb20ab341..9d48927fd 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml @@ -1,5 +1,5 @@ --- -rhsm_enabled_repos: +rhsm_enabled_repos: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - rhel-8-for-x86_64-baseos-rpms - rhel-8-for-x86_64-appstream-rpms - satellite-client-6-for-rhel-8-x86_64-rpms diff --git a/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml b/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml index 343df82d6..029a600dd 100644 --- a/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml +++ b/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml @@ -1,13 +1,13 @@ --- -foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}" -foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}" -foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}" -foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}" -capsule_server: "{{ foreman_server_url }}" -capsule_port: '9090' -policy_name: 'all' -policy_scan: "{{ policy_name }}" -crontab_hour: 2 -crontab_minute: 0 -crontab_weekdays: 0 -foreman_operations_scap_client_secure_logging: true +foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +capsule_server: "{{ foreman_server_url }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +capsule_port: '9090' # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +policy_name: 'all' # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +policy_scan: "{{ policy_name }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_hour: 2 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_minute: 0 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_weekdays: 0 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_operations_scap_client_secure_logging: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 b/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 index 264cc8bc9..a67330be8 100644 --- a/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 +++ b/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 @@ -17,7 +17,7 @@ # Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem') :host_private_key: '/etc/pki/consumer/key.pem' # policy (key is id as in Foreman) -{% for item in policy %} +{% for item in policy %} {{ item.id }}: {% if item.tailoring_file_id | int > 0 | d(False) %} {% for profile in tailoring_files[item.tailoring_file_id].tailoring_file_profiles %} diff --git a/linux/compliance_profiles.md b/linux/compliance_profiles.md index 7ef595c0f..4435eaa6c 100644 --- a/linux/compliance_profiles.md +++ b/linux/compliance_profiles.md @@ -12,4 +12,3 @@ The following compliance profiles are supported by the [**Linux / Enforce Compli | DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig | These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool. - diff --git a/openshift/README.md b/openshift/README.md index d5bfd7b6d..4ed8adcb2 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -14,7 +14,7 @@ This category of demos shows examples of openshift operations and management wit - [**OpenShift / Dev Spaces**](devspaces.yml) - Install and deploy dev spaces on OCP cluster. After this job has run successfully, login to your OCP cluster, click the application icon (to the left of the bell icon in the top right) to access Dev Spaces ## Pre Setup -This demo requires an OpenShift cluster to deploy to. If you do not have a cluster to use, one can be requested from [demo.redhat.com](https://demo.redhat.com). +This demo requires an OpenShift cluster to deploy to. If you do not have a cluster to use, one can be requested from [demo.redhat.com](https://demo.redhat.com). - Search for the [Red Hat OpenShift Container Platform 4.12 Workshop](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.ocp412-wksp.prod&utm_source=webapp&utm_medium=share-link) item in the catalog and request with the number of users you would like for Dev Spaces. - Login using the admin credentials provided. Click the `admin` username at the top right and select `Copy login command`. - Authenticate and click `Display Token`. This information will be used to populate the OpenShift Credential after you run the setup. diff --git a/openshift/gitlab.yml b/openshift/gitlab.yml index f60965720..b00665ca3 100644 --- a/openshift/gitlab.yml +++ b/openshift/gitlab.yml @@ -4,14 +4,14 @@ gather_facts: false tasks: - - name: create cert-manager-operator namespace + - name: Create cert-manager-operator namespace redhat.openshift.k8s: name: cert-manager-operator api_version: v1 kind: Namespace state: present - - name: create OperatorGroup object for cert-manager-operator + - name: Create OperatorGroup object for cert-manager-operator redhat.openshift.k8s: state: present definition: @@ -22,9 +22,9 @@ namespace: cert-manager-operator spec: targetNamespaces: - - cert-manager-operator + - cert-manager-operator - - name: create cert-manager-operator subscription + - name: Create cert-manager-operator subscription redhat.openshift.k8s: state: present definition: @@ -42,14 +42,14 @@ source: redhat-operators sourceNamespace: openshift-marketplace - - name: create gitlab-system namespace + - name: Create gitlab-system namespace redhat.openshift.k8s: name: gitlab-system api_version: v1 kind: Namespace state: present - - name: create OperatorGroup object for gitlab-operator-kubernetes + - name: Create OperatorGroup object for gitlab-operator-kubernetes redhat.openshift.k8s: state: present definition: @@ -60,9 +60,9 @@ namespace: gitlab-system spec: targetNamespaces: - - gitlab-system + - gitlab-system - - name: create gitlab subscription + - name: Create gitlab subscription redhat.openshift.k8s: state: present definition: @@ -80,8 +80,8 @@ source: community-operators sourceNamespace: openshift-marketplace - - name: wait for gitlab operator to install - k8s_info: + - name: Wait for gitlab operator to install + kubernetes.core.k8s_info: api_version: apiextensions.k8s.io/v1 kind: CustomResourceDefinition name: gitlabs.apps.gitlab.com @@ -91,7 +91,7 @@ delay: 30 - name: Wait until gitlab-operator is up - k8s_info: + kubernetes.core.k8s_info: api_version: v1 kind: Deployment name: gitlab-controller-manager @@ -117,7 +117,7 @@ namespace: gitlab-system spec: chart: - version: "6.11.0" + version: "6.11.0" values: nginx-ingress: enabled: false @@ -125,7 +125,7 @@ install: false global: hosts: - domain: "{{ cluster_domain }}" # apps.cluster-9xrlv.9xrlv.sandbox644.opentlc.com + domain: "{{ cluster_domain }}" # apps.cluster-9xrlv.9xrlv.sandbox644.opentlc.com ingress: class: none configureCertmanager: true diff --git a/openshift/setup.yml b/openshift/setup.yml index 939e3bac3..d5db457a6 100644 --- a/openshift/setup.yml +++ b/openshift/setup.yml @@ -34,4 +34,3 @@ controller_templates: notification_templates_error: Telemetry credentials: - "OpenShift Credential" - diff --git a/windows/backup.yml b/windows/backup.yml index 661630a59..ee0547436 100644 --- a/windows/backup.yml +++ b/windows/backup.yml @@ -1,6 +1,6 @@ --- -- hosts: windows - name: Rollback playbook +- name: Rollback playbook + hosts: windows tasks: - name: "Rollback this step" ansible.builtin.debug: diff --git a/windows/create_ad_domain.yml b/windows/create_ad_domain.yml index ca9013f59..5c8599bb7 100644 --- a/windows/create_ad_domain.yml +++ b/windows/create_ad_domain.yml @@ -13,23 +13,23 @@ ansible.windows.win_domain: dns_domain_name: ansible.local safe_mode_password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}" - notify: + notify: - Reboot host - Wait for AD services - Reboot again - Wait for AD services again - name: Flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Create some groups community.windows.win_domain_group: name: "{{ item.name }}" scope: global loop: - - { name: "GroupA" } - - { name: "GroupB" } - - { name: "GroupC" } + - name: "GroupA" + - name: "GroupB" + - name: "GroupC" retries: 5 delay: 10 @@ -40,9 +40,12 @@ password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}" update_password: on_create loop: - - { name: "UserA", groups: "GroupA" } - - { name: "UserB", groups: "GroupB" } - - { name: "UserC", groups: "GroupC" } + - name: "UserA" + groups: "GroupA" + - name: "UserB" + groups: "GroupB" + - name: "UserC" + groups: "GroupC" retries: 5 delay: 10