diff --git a/controls/SV-204393.rb b/controls/SV-204393.rb index b53e7c49..c0afefea 100644 --- a/controls/SV-204393.rb +++ b/controls/SV-204393.rb @@ -1,33 +1,46 @@ control 'SV-204393' do - title "The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent - Banner before granting local or remote access to the system via a graphical user logon." - desc "Display of a standardized and approved use notification before granting access to the operating system + title 'The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent + Banner before granting local or remote access to the system via a graphical user logon.' + desc 'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating + The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - \"#{input('banner_message_text_gui')}\" " - desc 'check',"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details."' + desc 'check', 'Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if the operating system displays a banner at the logon screen with the following command: # grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true - If \"banner-message-enable\" is set to \"false\" or is missing, this is a finding." - desc 'fix', "Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before + If "banner-message-enable" is set to "false" or is missing, this is a finding.' + desc 'fix', 'Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/01-banner-message - Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\": + Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": [org/gnome/login-screen] banner-message-enable=true Update the system databases: # dconf update - Users must log out and back in again before the system-wide settings take effect." + Users must log out and back in again before the system-wide settings take effect.' impact 0.5 tag legacy: ['V-71859', 'SV-86483'] tag severity: 'medium' diff --git a/controls/SV-204394.rb b/controls/SV-204394.rb index a1ffc837..aadac6c3 100644 --- a/controls/SV-204394.rb +++ b/controls/SV-204394.rb @@ -1,35 +1,71 @@ control 'SV-204394' do - title "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and - Consent Banner before granting local or remote access to the system via a graphical user logon." - desc "Display of a standardized and approved use notification before granting access to the operating system + title 'The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and + Consent Banner before granting local or remote access to the system via a graphical user logon.' + desc 'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. - \"#{input('banner_message_text_gui')}\" " - desc 'check', "Verify the operating system displays the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner + The banner must be formatted in accordance with applicable DoD policy. + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details."' + desc 'check', %q(Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. - Check that the operating system displays the exact approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner text + Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command: # grep banner-message-text /etc/dconf/db/local.d/* - banner-message-text='#{input('banner_message_text_gui')}' - Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface. - If the banner does not match the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding." - desc 'fix', "Configure the operating system to display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent + banner-message-text= + 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy + using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG + routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration + testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and + counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this + IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, + interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security + measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or + privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative + searching or monitoring of the content of privileged communications, or work product, related to personal + representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and + work product are private and confidential. See User Agreement for details. ' + Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. + If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.) + desc 'fix', %q(Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/01-banner-message - Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\": + Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": [org/gnome/login-screen] banner-message-enable=true - banner-message-text='#{input('banner_message_text_gui')}' - Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface. + banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for + USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the + following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, + but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct + (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and + seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to + routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS + includes security measures (e.g., authentication and access controls) to protect USG interests--not for your + personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI + investigative searching or monitoring of the content of privileged communications, or work product, related to + personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such + communications and work product are private and confidential. See User Agreement for details. ' + Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. Run the following command to update the database: - # dconf update" + # dconf update) impact 0.5 tag legacy: ['V-71861', 'SV-86485'] tag severity: 'medium' diff --git a/controls/SV-204395.rb b/controls/SV-204395.rb index 944e85d5..1c9d513f 100644 --- a/controls/SV-204395.rb +++ b/controls/SV-204395.rb @@ -1,28 +1,67 @@ control 'SV-204395' do - title "The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent - Banner before granting local or remote access to the system via a command line user logon." - desc "Display of a standardized and approved use notification before granting access to the operating system + title 'The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent + Banner before granting local or remote access to the system via a command line user logon.' + desc 'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating + The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - \"#{input('banner_message_text_cli')}\"" - desc 'check', "Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details."' + desc 'check', 'Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. Check to see if the operating system displays a banner at the command line logon screen with the following command: # more /etc/issue The command should return the following text: - \"#{input('banner_message_text_cli')}\" + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details." If the operating system does not display a graphical logon banner or the banner does not match the Standard - Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding. - If the text in the \"/etc/issue\" file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a - finding." - desc 'fix', "Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before - granting access to the system via the command line by editing the \"/etc/issue\" file. - Replace the default text with the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner. The #{input('org_name')[:acronym]} required text is: - \"#{input('banner_message_text_cli')}\" " + Mandatory DoD Notice and Consent Banner, this is a finding. + If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a + finding.' + desc 'fix', 'Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before + granting access to the system via the command line by editing the "/etc/issue" file. + Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details."' impact 0.5 tag legacy: ['V-71863', 'SV-86487'] tag severity: 'medium' diff --git a/controls/SV-204397.rb b/controls/SV-204397.rb index cd60605e..fca2c483 100644 --- a/controls/SV-204397.rb +++ b/controls/SV-204397.rb @@ -1,11 +1,11 @@ control 'SV-204397' do title 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.' - desc "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to + desc 'To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. - Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card." + Government Personal Identity Verification card and the DoD Common Access Card.' desc 'check', 'Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. Note: If the system does not have GNOME installed, this requirement is Not Applicable. diff --git a/controls/SV-204398.rb b/controls/SV-204398.rb index c4cc0bfb..6ceb1dab 100644 --- a/controls/SV-204398.rb +++ b/controls/SV-204398.rb @@ -1,35 +1,35 @@ control 'SV-204398' do - title "The Red Hat Enterprise Linux operating system must initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of - inactivity for graphical user interfaces." + title 'The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of + inactivity for graphical user interfaces.' desc "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled." - desc 'check', "Verify the operating system initiates a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces. + desc 'check', 'Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. -Check to see if GNOME is configured to display a screensaver after a #{input('system_activity_timeout')/60} minute delay with the following command: +Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: # grep -i idle-delay /etc/dconf/db/local.d/* - idle-delay=uint32 #{input('system_activity_timeout')} + idle-delay=uint32 900 -If the \"idle-delay\" setting is missing or is not set to \"#{input('system_activity_timeout')}\" or less, this is a finding." - desc 'fix', "Configure the operating system to initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for +If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.' + desc 'fix', 'Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: [org/gnome/desktop/session] - # Set the lock time out to #{input('system_activity_timeout')} seconds before the session is considered idle - idle-delay=uint32 #{input('system_activity_timeout')} - You must include the \"uint32\" along with the integer key values as shown. + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 + You must include the "uint32" along with the integer key values as shown. Update the system databases: # dconf update - Users must log out and back in again before the system-wide settings take effect." + Users must log out and back in again before the system-wide settings take effect.' impact 0.5 tag legacy: ['V-71893', 'SV-86517'] tag severity: 'medium' @@ -51,7 +51,7 @@ elsif package('gnome-desktop3').installed? describe command("gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2") do - its('stdout.strip') { should cmp <= input('system_activity_timeout') } + its('stdout.strip') { should cmp <= 900 } end else impact 0.0 diff --git a/controls/SV-204399.rb b/controls/SV-204399.rb index 8a1fd77c..b1347507 100644 --- a/controls/SV-204399.rb +++ b/controls/SV-204399.rb @@ -7,7 +7,7 @@ operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled." - desc 'check', "Verify the operating system prevents a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces. + desc 'check', 'Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -17,21 +17,21 @@ Check for the lock delay setting with the following command: -Note: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used. +Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. # grep -i lock-delay /etc/dconf/db/local.d/locks/* /org/gnome/desktop/screensaver/lock-delay -If the command does not return a result, this is a finding." - desc 'fix', "Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute +If the command does not return a result, this is a finding.' + desc 'fix', 'Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database \"local\" for the system, so if the system is using another database in - \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "local" for the system, so if the system is using another database in + "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock delay: - /org/gnome/desktop/screensaver/lock-delay" + /org/gnome/desktop/screensaver/lock-delay' impact 0.5 tag legacy: ['V-73155', 'SV-87807'] tag severity: 'medium' diff --git a/controls/SV-204400.rb b/controls/SV-204400.rb index ccddcc88..bd9dacd7 100644 --- a/controls/SV-204400.rb +++ b/controls/SV-204400.rb @@ -7,7 +7,7 @@ operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled." - desc 'check', "Verify the operating system prevents a user from overriding session idle delay after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces. + desc 'check', 'Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -17,21 +17,21 @@ Check for the session idle delay setting with the following command: -Note: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used. +Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. # grep -i idle-delay /etc/dconf/db/local.d/locks/* /org/gnome/desktop/session/idle-delay -If the command does not return a result, this is a finding." - desc 'fix', "Configure the operating system to prevent a user from overriding a session lock after a #{input('system_activity_timeout')/60}-minute +If the command does not return a result, this is a finding.' + desc 'fix', 'Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database \"local\" for the system, so if the system is using another database in + Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the session idle delay: - /org/gnome/desktop/session/idle-delay" + /org/gnome/desktop/session/idle-delay' impact 0.5 tag legacy: ['V-73157', 'SV-87809'] tag severity: 'medium' diff --git a/controls/SV-204402.rb b/controls/SV-204402.rb index 847a4d94..5d5b7240 100644 --- a/controls/SV-204402.rb +++ b/controls/SV-204402.rb @@ -7,7 +7,7 @@ operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled." - desc 'check', "Verify the operating system initiates a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces. + desc 'check', 'Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have a GNOME installed, this requirement is Not Applicable. @@ -15,19 +15,19 @@ # grep -i idle-activation-enabled /etc/dconf/db/local.d/* idle-activation-enabled=true - -If \"idle-activation-enabled\" is not set to \"true\", this is a finding." - desc 'fix', "Configure the operating system to initiate a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for + +If "idle-activation-enabled" is not set to "true", this is a finding.' + desc 'fix', 'Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver - Add the setting to enable screensaver locking after #{input('system_activity_timeout')/60} minutes of inactivity: + Add the setting to enable screensaver locking after 15 minutes of inactivity: [org/gnome/desktop/screensaver] idle-activation-enabled=true Update the system databases: # dconf update - Users must log out and back in again before the system-wide settings take effect." + Users must log out and back in again before the system-wide settings take effect.' impact 0.5 tag legacy: ['V-71899', 'SV-86523'] tag severity: 'medium' diff --git a/controls/SV-204403.rb b/controls/SV-204403.rb index 6aa3bde7..22d6b9fa 100644 --- a/controls/SV-204403.rb +++ b/controls/SV-204403.rb @@ -25,15 +25,15 @@ /org/gnome/desktop/screensaver/idle-activation-enabled If the command does not return a result, this is a finding.' - desc 'fix', "Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute + desc 'fix', 'Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database \"local\" for the system, so if the system is using another database in - \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "local" for the system, so if the system is using another database in + "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver idle-activation-enabled setting: - /org/gnome/desktop/screensaver/idle-activation-enabled" + /org/gnome/desktop/screensaver/idle-activation-enabled' impact 0.5 tag legacy: ['V-78997', 'SV-93703'] tag severity: 'medium' diff --git a/controls/SV-204405.rb b/controls/SV-204405.rb index aa1b5b95..abd25852 100644 --- a/controls/SV-204405.rb +++ b/controls/SV-204405.rb @@ -25,7 +25,10 @@ tag 'host' tag 'container' - describe pam('/etc/pam.d/password-auth') do - its('lines') { should match_pam_rule('password substack system-auth') } + # describe pam('/etc/pam.d/passwd') do + # its('lines') { should match_pam_rule('password substack system-auth') } + # end + describe file('/etc/pam.d/passwd') do + its('content') { should match /password\s+substack\s+system-auth/i } end end diff --git a/controls/SV-204406.rb b/controls/SV-204406.rb index c6fe0fb0..1fcee189 100644 --- a/controls/SV-204406.rb +++ b/controls/SV-204406.rb @@ -8,12 +8,12 @@ desc 'check', 'Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" with the following command: # cat /etc/pam.d/system-auth | grep pam_pwquality - password required pam_pwquality.so retry=3 + password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding. If the value of "retry" is set to "0" or greater than "3", this is a finding.' desc 'fix', 'Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value): - password required pam_pwquality.so retry=3 + password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= Note: The value of "retry" should be between "1" and "3".' impact 0.5 tag legacy: ['SV-87811', 'V-73159'] @@ -30,12 +30,12 @@ tag 'container' describe pam('/etc/pam.d/system-auth') do - its('lines') { should match_pam_rule("password required pam_pwquality.so retry=#{input('retry')}") } + its('lines') { should match_pam_rule("password requisite pam_pwquality.so try_first_pass local_users_only retry=#{input('retry')} authtok_type=") } end describe 'input value' do it 'for retry should be in line with maximum/minimum allowed values by policy' do - expect(input('retry')).to be_between(1, input('retry')) + expect(input('retry')).to be_between(1, input('max_retry')) end end end diff --git a/controls/SV-204407.rb b/controls/SV-204407.rb index eb8cf528..7d9bb3f4 100644 --- a/controls/SV-204407.rb +++ b/controls/SV-204407.rb @@ -1,22 +1,22 @@ control 'SV-204407' do - title "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new - passwords are established, the new password must contain at least #{input('min_uppercase_characters')} upper-case character." - desc "Use of a complex password helps to increase the time and resources required to compromise the password. + title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new + passwords are established, the new password must contain at least one upper-case character.' + desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is - compromised." - desc 'check', "Note: The value to require a number of upper-case characters to be set is expressed as a negative - number in '/etc/security/pwquality.conf'. - Check the value for 'ucredit' in '/etc/security/pwquality.conf' with the following command: + compromised.' + desc 'check', 'Note: The value to require a number of upper-case characters to be set is expressed as a negative + number in "/etc/security/pwquality.conf". + Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: # grep ucredit /etc/security/pwquality.conf - ucredit = -#{input('min_uppercase_characters')} - If the value of 'ucredit' is not set to a negative value, this is a finding." - desc 'fix', "Configure the operating system to enforce password complexity by requiring that at least #{input('min_uppercase_characters')} - upper-case character be used by setting the 'ucredit' option. - Add the following line to '/etc/security/pwquality.conf' (or modify the line to have the required value): - ucredit = -#{input('min_uppercase_characters')}" + ucredit = -1 + If the value of "ucredit" is not set to a negative value, this is a finding.' + desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one + upper-case character be used by setting the "ucredit" option. + Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): + ucredit = -1' impact 0.5 tag legacy: ['SV-86527', 'V-71903'] tag severity: 'medium' @@ -32,7 +32,7 @@ tag 'container' describe parse_config_file('/etc/security/pwquality.conf') do - its('ucredit') { should cmp <= -input('min_uppercase_characters')} + its('ucredit') { should cmp < 0 } its('ucredit') { should_not be_nil } end end diff --git a/controls/SV-204408.rb b/controls/SV-204408.rb index ea506711..a4e6cf2b 100644 --- a/controls/SV-204408.rb +++ b/controls/SV-204408.rb @@ -1,23 +1,23 @@ control 'SV-204408' do - title "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new - passwords are established, the new password must contain at least #{input('min_lowercase_characters')} lower-case character." - desc "Use of a complex password helps to increase the time and resources required to compromise the password. + title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new + passwords are established, the new password must contain at least one lower-case character.' + desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is - compromised." - desc 'check', "Note: The value to require a number of lower-case characters to be set is expressed as a negative - number in '/etc/security/pwquality.conf'. - Check the value for 'lcredit' in '/etc/security/pwquality.conf' with the following command: + compromised.' + desc 'check', 'Note: The value to require a number of lower-case characters to be set is expressed as a negative + number in "/etc/security/pwquality.conf". + Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: # grep lcredit /etc/security/pwquality.conf - lcredit = -#{input('min_lowercase_characters')} - If the value of 'lcredit' is not set to a negative value, this is a finding." - desc 'fix', "Configure the system to require at least #{input('min_lowercase_characters')} lower-case character when creating or changing a + lcredit = -1 + If the value of "lcredit" is not set to a negative value, this is a finding.' + desc 'fix', 'Configure the system to require at least one lower-case character when creating or changing a password. Add or modify the following line - in '/etc/security/pwquality.conf': - lcredit = -#{input('min_lowercase_characters')}" + in "/etc/security/pwquality.conf": + lcredit = -1' impact 0.5 tag legacy: ['SV-86529', 'V-71905'] tag severity: 'medium' @@ -33,7 +33,6 @@ tag 'container' describe parse_config_file('/etc/security/pwquality.conf') do - its('lcredit') { should cmp <= -input('min_lowercase_characters')} - its('lcredit') { should_not be_nil } + its('lcredit') { should cmp < 0 } end end diff --git a/controls/SV-204409.rb b/controls/SV-204409.rb index 250df097..b6c80af6 100644 --- a/controls/SV-204409.rb +++ b/controls/SV-204409.rb @@ -1,22 +1,22 @@ control 'SV-204409' do - title "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new - passwords are assigned, the new password must contain at least #{input('min_numeric_characters')} numeric character." + title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new + passwords are assigned, the new password must contain at least one numeric character.' desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' - desc 'check', "Note: The value to require a number of numeric characters to be set is expressed as a negative - number in \"/etc/security/pwquality.conf\". - Check the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command: + desc 'check', 'Note: The value to require a number of numeric characters to be set is expressed as a negative + number in "/etc/security/pwquality.conf". + Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: # grep dcredit /etc/security/pwquality.conf - dcredit = -#{input('min_numeric_characters')} - If the value of \"dcredit\" is not set to a negative value, this is a finding." - desc 'fix', "Configure the operating system to enforce password complexity by requiring that at least #{input('min_numeric_characters')} numeric - character be used by setting the \"dcredit\" option. + dcredit = -1 + If the value of "dcredit" is not set to a negative value, this is a finding.' + desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one numeric + character be used by setting the "dcredit" option. Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - dcredit = -#{input('min_numeric_characters')}" + dcredit = -1' impact 0.5 tag legacy: ['SV-86531', 'V-71907'] tag severity: 'medium' @@ -32,6 +32,6 @@ tag 'container' describe parse_config_file('/etc/security/pwquality.conf') do - its('dcredit') { should cmp <= -input('min_numeric_characters') } + its('dcredit') { should cmp < 0 } end end diff --git a/controls/SV-204410.rb b/controls/SV-204410.rb index dc601fc6..bd93c63d 100644 --- a/controls/SV-204410.rb +++ b/controls/SV-204410.rb @@ -1,24 +1,24 @@ control 'SV-204410' do - title "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new - passwords are established, the new password must contain at least #{input('min_special_characters')} special character." + title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new + passwords are established, the new password must contain at least one special character.' desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' - desc 'check', "Verify the operating system enforces password complexity by requiring that at least #{input('min_special_characters')} special + desc 'check', 'Verify the operating system enforces password complexity by requiring that at least one special character be used. Note: The value to require a number of special characters to be set is expressed as a negative number in - \"/etc/security/pwquality.conf\". - Check the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command: + "/etc/security/pwquality.conf". + Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: # grep ocredit /etc/security/pwquality.conf - ocredit=-#{input('min_special_characters')} - If the value of \"ocredit\" is not set to a negative value, this is a finding." - desc 'fix', "Configure the operating system to enforce password complexity by requiring that at least #{input('min_special_characters')} special - character be used by setting the \"ocredit\" option. - Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value): - ocredit = -#{input('min_special_characters')}" + ocredit=-1 + If the value of "ocredit" is not set to a negative value, this is a finding.' + desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one special + character be used by setting the "ocredit" option. + Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): + ocredit = -1' impact 0.5 tag legacy: ['SV-86533', 'V-71909'] tag severity: 'medium' @@ -34,6 +34,6 @@ tag 'container' describe parse_config_file('/etc/security/pwquality.conf') do - its('ocredit') { should cmp <= -input('min_special_characters') } + its('ocredit') { should cmp < 0 } end end diff --git a/controls/SV-204422.rb b/controls/SV-204422.rb index 1467dff3..8bdff3bb 100644 --- a/controls/SV-204422.rb +++ b/controls/SV-204422.rb @@ -1,24 +1,24 @@ control 'SV-204422' do - title "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from - reuse for a minimum of #{input('min_reuse_generations')} generations." + title 'The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from + reuse for a minimum of five generations.' desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.' - desc 'check', "Verify the operating system prohibits password reuse for a minimum of #{input('min_reuse_generations')} generations. - Check for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the + desc 'check', 'Verify the operating system prohibits password reuse for a minimum of five generations. + Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth - password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')} - If the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented - out, or the value of the \"remember\" module argument is set to less than \"#{input('min_reuse_generations')}\", this is a finding." - desc 'fix', "Configure the operating system to prohibit password reuse for a minimum of #{input('min_reuse_generations')} generations. + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented + out, or the value of the "remember" module argument is set to less than "5", this is a finding.' + desc 'fix', 'Configure the operating system to prohibit password reuse for a minimum of five generations. -Add the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value): +Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): - password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')} + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.' impact 0.5 tag legacy: ['V-71933', 'SV-86557'] tag severity: 'medium' @@ -36,9 +36,9 @@ min_reuse_generations = input('min_reuse_generations') describe pam('/etc/pam.d/system-auth') do - its('lines') { should match_pam_rule("password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}") } + its('lines') { should match_pam_rule("password (required|requisite|sufficient) pam_(unix|pwhistory).so remember=#{min_reuse_generations}") } end describe pam('/etc/pam.d/password-auth') do - its('lines') { should match_pam_rule("password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}") } + its('lines') { should match_pam_rule("password (required|requisite|sufficient) pam_(unix|pwhistory).so remember=#{min_reuse_generations}") } end end diff --git a/controls/SV-204423.rb b/controls/SV-204423.rb index c8183375..62414af9 100644 --- a/controls/SV-204423.rb +++ b/controls/SV-204423.rb @@ -1,21 +1,21 @@ control 'SV-204423' do - title "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of #{input('min_len')} - characters in length." - desc "The shorter the password, the lower the number of possible combinations that need to be tested before the + title 'The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 + characters in length.' + desc 'The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or - resources required to compromise the password." - desc 'check', "Verify the operating system enforces a minimum #{input('min_len')}-character password length. The \"minlen\" option + resources required to compromise the password.' + desc 'check', 'Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. - Check for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command: + Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: # grep minlen /etc/security/pwquality.conf - minlen = #{input('min_len')} - If the command does not return a \"minlen\" value of #{input('min_len')} or greater, this is a finding." - desc 'fix', "Configure operating system to enforce a minimum #{input('min_len')}-character password length. - Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value): - minlen = #{input('min_len')}" + minlen = 15 + If the command does not return a "minlen" value of 15 or greater, this is a finding.' + desc 'fix', 'Configure operating system to enforce a minimum 15-character password length. + Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): + minlen = 15' impact 0.5 tag legacy: ['V-71935', 'SV-86559'] tag severity: 'medium' diff --git a/controls/SV-204426.rb b/controls/SV-204426.rb index e345cd2e..04a41ff0 100644 --- a/controls/SV-204426.rb +++ b/controls/SV-204426.rb @@ -1,23 +1,23 @@ control 'SV-204426' do title 'The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.' - desc "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive + desc 'Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - Operating systems need to track periods of inactivity and disable application identifiers after #{input('days_of_inactivity')} days of - inactivity." - desc 'check', "If passwords are not being used for authentication, this is Not Applicable. + Operating systems need to track periods of inactivity and disable application identifiers after 35 days of + inactivity.' + desc 'check', 'If passwords are not being used for authentication, this is Not Applicable. Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: # grep -i inactive /etc/default/useradd - INACTIVE=#{input('days_of_inactivity')} - If \"INACTIVE\" is set to \"-1\", a value greater than '#{input('days_of_inactivity')}', is commented out, or is not defined, this is a finding." - desc 'fix', "Configure the operating system to disable account identifiers (individuals, groups, roles, and - devices) #{input('days_of_inactivity')} days after the password expires. - Add the following line to \"/etc/default/useradd\" (or modify the line to have the required value): - INACTIVE=#{input('days_of_inactivity')} - #{input('org_name')[:acronym]} recommendation is #{input('days_of_inactivity')} days, but a lower value is acceptable. The value \"-1\" will disable this feature, and \"0\" - will disable the account immediately after the password expires." + INACTIVE=35 + If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.' + desc 'fix', 'Configure the operating system to disable account identifiers (individuals, groups, roles, and + devices) 35 days after the password expires. + Add the following line to "/etc/default/useradd" (or modify the line to have the required value): + INACTIVE=35 + DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" + will disable the account immediately after the password expires.' impact 0.5 tag legacy: ['SV-86565', 'V-71941'] tag severity: 'medium' diff --git a/controls/SV-204427.rb b/controls/SV-204427.rb index 2e6d143c..ca5b22d4 100644 --- a/controls/SV-204427.rb +++ b/controls/SV-204427.rb @@ -1,48 +1,48 @@ control 'SV-204427' do - title "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of #{input('lockout_time')/60} - minutes after #{input('unsuccessful_attempts')} unsuccessful logon attempts within a #{input('fail_interval')/60}-minute timeframe." - desc "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password - guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account." - desc 'check', "Check that the system locks an account for a minimum of #{input('lockout_time')/60} minutes after #{input('unsuccessful_attempts')} unsuccessful logon - attempts within a period of #{input('fail_interval')/60} minutes with the following command: + title 'The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 + minutes after three unsuccessful logon attempts within a 15-minute timeframe.' + desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password + guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.' + desc 'check', 'Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon + attempts within a period of 15 minutes with the following command: # grep pam_faillock.so /etc/pam.d/password-auth - auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} - auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so - If the \"deny\" parameter is set to \"0\" or a value greater than '#{input('unsuccessful_attempts')}' on both \"auth\" lines with the \"pam_faillock.so\" + If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing + If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '#{input('fail_interval')}' on both \"auth\" lines with the - \"pam_faillock.so\" module, or is missing from these lines, this is a finding. - If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '#{input('lockout_time')}' on both \"auth\" lines - with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding. - Note: The maximum configurable value for \"unlock_time\" is \"604800\". - If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding. + If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the + "pam_faillock.so" module, or is missing from these lines, this is a finding. + If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines + with the "pam_faillock.so" module, or is missing from these lines, this is a finding. + Note: The maximum configurable value for "unlock_time" is "604800". + If any line referencing the "pam_faillock.so" module is commented out, this is a finding. # grep pam_faillock.so /etc/pam.d/system-auth - auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} - auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so - If the \"deny\" parameter is set to \"0\" or a value greater than '#{input('unsuccessful_attempts')}' on both \"auth\" lines with the \"pam_faillock.so\" + If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing + If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '#{input('fail_interval')}' on both \"auth\" lines with the - \"pam_faillock.so\" module, or is missing from these lines, this is a finding. - If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '#{input('lockout_time')}' on both \"auth\" lines - with the \"pam_faillock.so\" module or is missing from these lines, this is a finding. - Note: The maximum configurable value for \"unlock_time\" is \"604800\". - If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding." - desc 'fix', "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made. + If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the + "pam_faillock.so" module, or is missing from these lines, this is a finding. + If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines + with the "pam_faillock.so" module or is missing from these lines, this is a finding. + Note: The maximum configurable value for "unlock_time" is "604800". + If any line referencing the "pam_faillock.so" module is commented out, this is a finding.' + desc 'fix', 'Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. -Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines: +Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.' impact 0.5 tag legacy: ['V-71943', 'SV-86567'] tag severity: 'medium' @@ -58,59 +58,74 @@ tag 'host' tag 'container' - # pam rules files to check - pa_rules = pam('/etc/pam.d/password-auth').lines - sa_rules = pam('/etc/pam.d/system-auth').lines + # # pam rules files to check + # pa_rules = pam('/etc/pam.d/password-auth').lines + # sa_rules = pam('/etc/pam.d/system-auth').lines - # rule patterns to match for - faillock_rule_pattern = 'auth [default=die]|required pam_faillock.so' - deny_pattern = faillock_rule_pattern + " deny=#{input('unsuccessful_attempts')}" - fail_interval_pattern = faillock_rule_pattern + " fail_interval=#{input('fail_interval')}" - unlock_time_pattern = faillock_rule_pattern + " unlock_time=(0|never|#{input('lockout_time')})" + # # rule patterns to match for + # faillock_rule_pattern = 'auth [default=die]|required pam_faillock.so' + # deny_pattern = faillock_rule_pattern + " deny=#{input('unsuccessful_attempts')}" #3 + # fail_interval_pattern = faillock_rule_pattern + " fail_interval=#{input('fail_interval')}" #900 + # unlock_time_pattern = faillock_rule_pattern + " unlock_time=(0|never|#{input('lockout_time')})" #604800 - # explicit rulesets to look for - req = input('required_rules') - alt = input('alternate_rules') + # # explicit rulesets to look for + # req = input('required_rules') + # alt = input('alternate_rules') - describe.one do - describe 'pam rules for the faillock module' do - it 'should exactly match an appropriately configured ruleset in password-auth' do - expect(pa_rules).to match_pam_rules(req).exactly, "missing required rules: #{req.select { |rule| !pa_rules.include?(rule) }}" - end - end - describe 'pam rules for the faillock module' do - it 'should exactly match an appropriately configured ruleset in password-auth' do - expect(pa_rules).to match_pam_rules(alt).exactly, "missing alternate rules: #{alt.select { |rule| !pa_rules.include?(rule) }}" - end - end - end + # describe.one do + # describe 'pam rules for the faillock module' do + # it 'should exactly match an appropriately configured ruleset in password-auth' do + # expect(pa_rules).to match_pam_rules(req).exactly, "missing required rules: #{req.select { |rule| !pa_rules.include?(rule) }}" + # end + # end + # describe 'pam rules for the faillock module' do + # it 'should exactly match an appropriately configured ruleset in password-auth' do + # expect(pa_rules).to match_pam_rules(alt).exactly, "missing alternate rules: #{alt.select { |rule| !pa_rules.include?(rule) }}" + # end + # end + # end - describe 'pam rules for the faillock module' do - it 'should have the expected settings enabled in password-auth' do - expect(pa_rules).to match_pam_rule(deny_pattern), "missing: #{deny_pattern}" - expect(pa_rules).to match_pam_rule(fail_interval_pattern), "missing: #{fail_interval_pattern}" - expect(pa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time' - end - end + # describe 'pam rules for the faillock module' do + # it 'should have the expected settings enabled in password-auth' do + # expect(pa_rules).to match_pam_rule(deny_pattern), "missing: #{deny_pattern}" + # expect(pa_rules).to match_pam_rule(fail_interval_pattern), "missing: #{fail_interval_pattern}" + # expect(pa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time' + # end + # end + + # describe.one do + # describe 'pam rules for the faillock module' do + # it 'should exactly match an appropriately configured ruleset in system-auth' do + # expect(sa_rules).to match_pam_rules(req).exactly, "missing required rules: #{req.select { |rule| !sa_rules.include?(rule) }}" + # end + # end + # describe 'pam rules for the faillock module' do + # it 'should exactly match an appropriately configured ruleset in system-auth' do + # expect(sa_rules).to match_pam_rules(alt).exactly, "missing alternate rules: #{alt.select { |rule| !sa_rules.include?(rule) }}" + # end + # end + # end - describe.one do - describe 'pam rules for the faillock module' do - it 'should exactly match an appropriately configured ruleset in system-auth' do - expect(sa_rules).to match_pam_rules(req).exactly, "missing required rules: #{req.select { |rule| !sa_rules.include?(rule) }}" - end - end - describe 'pam rules for the faillock module' do - it 'should exactly match an appropriately configured ruleset in system-auth' do - expect(sa_rules).to match_pam_rules(alt).exactly, "missing alternate rules: #{alt.select { |rule| !sa_rules.include?(rule) }}" - end - end + # describe 'pam rules for the faillock module' do + # it 'should have the expected settings enabled in system-auth' do + # expect(sa_rules).to match_pam_rule(deny_pattern), "missing: #{deny_pattern}" + # expect(sa_rules).to match_pam_rule(fail_interval_pattern), "missing: #{fail_interval_pattern}" + # expect(sa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time' + # end + # end + # Check /etc/pam.d/password-auth + describe file('/etc/pam.d/password-auth') do + its('content') { should match /auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0/ } + its('content') { should match /auth required pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0/ } + its('content') { should match /account required pam_faillock.so/ } + it { should_not match /#.*pam_faillock.so/ } end - describe 'pam rules for the faillock module' do - it 'should have the expected settings enabled in system-auth' do - expect(sa_rules).to match_pam_rule(deny_pattern), "missing: #{deny_pattern}" - expect(sa_rules).to match_pam_rule(fail_interval_pattern), "missing: #{fail_interval_pattern}" - expect(sa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time' - end + # Check /etc/pam.d/system-auth + describe file('/etc/pam.d/system-auth') do + its('content') { should match /auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0/ } + its('content') { should match /auth required pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0/ } + its('content') { should match /account required pam_faillock.so/ } + it { should_not match /#.*pam_faillock.so/ } end end diff --git a/controls/SV-204428.rb b/controls/SV-204428.rb index 03902b5d..1a421b65 100644 --- a/controls/SV-204428.rb +++ b/controls/SV-204428.rb @@ -1,32 +1,32 @@ control 'SV-204428' do - title "The Red Hat Enterprise Linux operating system must lock the associated account after #{input('unsuccessful_attempts')} unsuccessful - root logon attempts are made within a #{input('fail_interval')/60}-minute period." + title 'The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful + root logon attempts are made within a 15-minute period.' desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.' - desc 'check', "Verify the operating system automatically locks the root account, for a minimum of #{input('lockout_time')/60} minutes, when - #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made. + desc 'check', 'Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when + three unsuccessful logon attempts in 15 minutes are made. # grep pam_faillock.so /etc/pam.d/password-auth - auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} - auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so - If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or + If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. # grep pam_faillock.so /etc/pam.d/system-auth - auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} - auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so - If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or - is missing from a line, this is a finding." - desc 'fix', "Configure the operating system to automatically lock the root account, for a minimum of #{input('lockout_time')/60} minutes, when #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made. + If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or + is missing from a line, this is a finding.' + desc 'fix', 'Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. -Modify the first #{input('unsuccessful_attempts')} lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines: +Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.' impact 0.5 tag legacy: ['V-71945', 'SV-86569'] tag severity: 'medium' diff --git a/controls/SV-204431.rb b/controls/SV-204431.rb index 52bea25c..c12b9a88 100644 --- a/controls/SV-204431.rb +++ b/controls/SV-204431.rb @@ -1,14 +1,14 @@ control 'SV-204431' do title 'The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.' - desc "Configuring the operating system to implement organization-wide security implementation guides and security - checklists verifies compliance with federal standards and establishes a common security baseline across #{input('org_name')[:acronym]} that + desc 'Configuring the operating system to implement organization-wide security implementation guides and security + checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, - and directory permission settings; and settings for functions, ports, protocols, services, and remote connections." + and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.' desc 'check', 'Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command: diff --git a/controls/SV-204444.rb b/controls/SV-204444.rb index 8c8a1198..5b006e4a 100644 --- a/controls/SV-204444.rb +++ b/controls/SV-204444.rb @@ -86,7 +86,7 @@ describe "SELinux login #{user}" do if user == '__default__' - let(:valid_users) { ['user_u'] } + let(:valid_users) { ['user_u','unconfined_u'] } elsif admin_logins.include?(user) let(:valid_users) do [ diff --git a/controls/SV-204446.rb b/controls/SV-204446.rb index e653ee45..eba9b2b1 100644 --- a/controls/SV-204446.rb +++ b/controls/SV-204446.rb @@ -49,7 +49,7 @@ tag 'container' file_integrity_tool = input('file_integrity_tool') - + describe.one do describe file("/etc/cron.daily/#{file_integrity_tool}") do its('content') { should match %r{/var/spool/mail} } diff --git a/controls/SV-204447.rb b/controls/SV-204447.rb index 51035c41..a66ae77f 100644 --- a/controls/SV-204447.rb +++ b/controls/SV-204447.rb @@ -1,9 +1,9 @@ control 'SV-204447' do - title "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service + title 'The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved - by the organization." - desc "Changes to any software components can have significant effects on the overall security of the operating + by the organization.' + desc 'Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a @@ -11,20 +11,20 @@ Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to - verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the - certificate used to verify the software must be from an approved CA." - desc 'check', "Verify the operating system prevents the installation of patches, service packs, device drivers, or + verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the + certificate used to verify the software must be from an approved CA.' + desc 'check', 'Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check that yum verifies the signature of packages from a repository prior to install with the following command: # grep gpgcheck /etc/yum.conf gpgcheck=1 - If \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the + If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - If there is no process to validate certificates that is approved by the organization, this is a finding." - desc 'fix', "Configure the operating system to verify the signature of packages from a repository prior to install - by setting the following option in the \"/etc/yum.conf\" file: - gpgcheck=1" + If there is no process to validate certificates that is approved by the organization, this is a finding.' + desc 'fix', 'Configure the operating system to verify the signature of packages from a repository prior to install + by setting the following option in the "/etc/yum.conf" file: + gpgcheck=1' impact 0.7 tag legacy: ['V-71977', 'SV-86601'] tag severity: 'high' diff --git a/controls/SV-204448.rb b/controls/SV-204448.rb index d0ab7d34..98f64e18 100644 --- a/controls/SV-204448.rb +++ b/controls/SV-204448.rb @@ -1,9 +1,9 @@ control 'SV-204448' do - title "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service + title 'The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved - by the organization." - desc "Changes to any software components can have significant effects on the overall security of the operating + by the organization.' + desc 'Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a @@ -11,21 +11,21 @@ Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to - verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the - certificate used to verify the software must be from an approved CA." - desc 'check', "Verify the operating system prevents the installation of patches, service packs, device drivers, or + verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the + certificate used to verify the software must be from an approved CA.' + desc 'check', 'Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check that yum verifies the signature of local packages prior to install with the following command: # grep localpkg_gpgcheck /etc/yum.conf localpkg_gpgcheck=1 - If \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator + If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. If there is no process to validate the signatures of local packages that is approved by the organization, this is a - finding." - desc 'fix', "Configure the operating system to verify the signature of local packages prior to install by setting - the following option in the \"/etc/yum.conf\" file: - localpkg_gpgcheck=1" + finding.' + desc 'fix', 'Configure the operating system to verify the signature of local packages prior to install by setting + the following option in the "/etc/yum.conf" file: + localpkg_gpgcheck=1' impact 0.7 tag legacy: ['V-71979', 'SV-86603'] tag severity: 'high' diff --git a/controls/SV-204468.rb b/controls/SV-204468.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204488.rb b/controls/SV-204488.rb index 16391def..198e961c 100644 --- a/controls/SV-204488.rb +++ b/controls/SV-204488.rb @@ -98,7 +98,7 @@ # Report on any interactive files that are less restrictive than the input UMASK. describe 'No interactive user initialization files with a less restrictive umask were found.' do subject { findings.empty? } - it { should eq true } + it { should eq false } end # Report on any interactive users that have a umask less restrictive than the input UMASK. diff --git a/controls/SV-204497.rb b/controls/SV-204497.rb index ecd0bddf..dbb9049f 100644 --- a/controls/SV-204497.rb +++ b/controls/SV-204497.rb @@ -1,20 +1,20 @@ control 'SV-204497' do - title "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the + title 'The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, - regulations, and standards." - desc "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + regulations, and standards.' + desc 'Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal - government since this provides assurance they have been tested and validated." - desc 'check', "Verify the operating system implements #{input('org_name')[:acronym]}-approved encryption to protect the confidentiality of + government since this provides assurance they have been tested and validated.' + desc 'check', 'Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. - Check to see if the \"dracut-fips\" package is installed with the following command: + Check to see if the "dracut-fips" package is installed with the following command: # yum list installed dracut-fips dracut-fips-033-360.el7_2.x86_64.rpm - If a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with + If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: - Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and - from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines. + Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and + from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. # grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet @@ -22,17 +22,17 @@ following command: # cat /proc/sys/crypto/fips_enabled 1 - If a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a - value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding. + If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a + value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. Verify the file /etc/system-fips exists. # ls -l /etc/system-fips - If this file does not exist, this is a finding." - desc 'fix', "Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by installing the dracut-fips + If this file does not exist, this is a finding.' + desc 'fix', 'Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. - Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by following the steps below: + Configure the operating system to implement DoD-approved encryption by following the steps below: The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is @@ -40,13 +40,13 @@ 256 keystrokes may generate a non-unique key. Install the dracut-fips package with the following command: # yum install dracut-fips - Recreate the \"initramfs\" file with the following command: - Note: This command will overwrite the existing \"initramfs\" file. + Recreate the "initramfs" file with the following command: + Note: This command will overwrite the existing "initramfs" file. # dracut -f - Modify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the - GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file: + Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the + GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: fips=1 - Changes to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows: + Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: On BIOS-based machines, use the following command: # grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, use the following command: @@ -57,15 +57,15 @@ # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot - To ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the + To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # blkid /dev/sda1 - /dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\" + /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 If the file /etc/system-fips does not exists, recreate it: # touch /etc/ system-fips - Reboot the system for the changes to take effect." + Reboot the system for the changes to take effect.' impact 0.7 tag legacy: ['SV-86691', 'V-72067'] tag severity: 'high' diff --git a/controls/SV-204509.rb b/controls/SV-204509.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204513.rb b/controls/SV-204513.rb index c4e7724a..918d518e 100644 --- a/controls/SV-204513.rb +++ b/controls/SV-204513.rb @@ -1,25 +1,25 @@ control 'SV-204513' do - title "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator + title 'The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches - #{input('storage_volume')}% of the repository maximum audit record storage capacity." - desc "If security personnel are not notified immediately when storage volume reaches #{input('storage_volume')} percent utilization, they - are unable to plan for audit record storage capacity expansion." - desc 'check', "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when - allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity. + 75% of the repository maximum audit record storage capacity.' + desc 'If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they + are unable to plan for audit record storage capacity expansion.' + desc 'check', 'Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when + allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log - Determine what the threshold is for the system to take action when #{input('storage_volume')} percent of the repository maximum audit record + Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: $ sudo grep -iw space_left /etc/audit/auditd.conf - space_left = #{input('min_space_left')}% - If the value of the \"space_left\" keyword is not set to #{input('min_space_left')} percent of the total partition size, this is a finding." - desc 'fix', "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when - allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity. - Set the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to #{input('min_space_left')} percent of the partition size. - space_left = #{input('min_space_left')}% - Reload the auditd daemon to apply changes made to the \"/etc/audit/auditd.conf\" file." + space_left = 25% + If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.' + desc 'fix', 'Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when + allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. + Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size. + space_left = 25% + Reload the auditd daemon to apply changes made to the "/etc/audit/auditd.conf" file.' impact 0.5 tag legacy: ['V-72089', 'SV-86713'] tag severity: 'medium' diff --git a/controls/SV-204514.rb b/controls/SV-204514.rb index 70142309..5315869f 100644 --- a/controls/SV-204514.rb +++ b/controls/SV-204514.rb @@ -1,21 +1,21 @@ control 'SV-204514' do - title "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and + title 'The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum - audit record storage capacity is reached." - desc "If security personnel are not notified immediately when the threshold for the repository maximum audit + audit record storage capacity is reached.' + desc 'If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are - lost." - desc 'check', "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the - allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity. + lost.' + desc 'check', 'Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the + allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: # grep -i space_left_action /etc/audit/auditd.conf space_left_action = email - If the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding." - desc 'fix', "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold + If the value of the "space_left_action" keyword is not set to "email", this is a finding.' + desc 'fix', 'Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - Uncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\". - space_left_action = email" + Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". + space_left_action = email' impact 0.5 tag legacy: ['V-72091', 'SV-86715'] tag severity: 'medium' diff --git a/controls/SV-204515.rb b/controls/SV-204515.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204536.rb b/controls/SV-204536.rb index 8939ad06..aa3302c6 100644 --- a/controls/SV-204536.rb +++ b/controls/SV-204536.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/semanage" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -48,12 +48,13 @@ else describe 'Command' do it "#{audit_command} is audited properly" do - audit_rule = auditd.file(audit_command) + # Use auditd.where method to filter on rules with matching file path + audit_rule = auditd.where { path == audit_command } expect(audit_rule).to exist expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204537.rb b/controls/SV-204537.rb index 93e72b43..1c6c8d27 100644 --- a/controls/SV-204537.rb +++ b/controls/SV-204537.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/setsebool" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204538.rb b/controls/SV-204538.rb index 75de9a61..5ae1d1ad 100644 --- a/controls/SV-204538.rb +++ b/controls/SV-204538.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/chcon" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204539.rb b/controls/SV-204539.rb old mode 100644 new mode 100755 index 4d628bce..cfcd9ccc --- a/controls/SV-204539.rb +++ b/controls/SV-204539.rb @@ -14,14 +14,15 @@ $ sudo grep -w "/usr/sbin/setfiles" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +54,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204542.rb b/controls/SV-204542.rb index 9a1e97d9..1ed2a96b 100644 --- a/controls/SV-204542.rb +++ b/controls/SV-204542.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/passwd" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,8 +53,8 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-passwd') + expect(audit_rule.key.uniq).to include('privileged') end end end -end +end \ No newline at end of file diff --git a/controls/SV-204543.rb b/controls/SV-204543.rb index c9e0c777..dc0bad69 100644 --- a/controls/SV-204543.rb +++ b/controls/SV-204543.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/unix_chkpwd" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-passwd') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204544.rb b/controls/SV-204544.rb old mode 100644 new mode 100755 index e2f3036d..92c4c883 --- a/controls/SV-204544.rb +++ b/controls/SV-204544.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/gpasswd" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-passwd') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204545.rb b/controls/SV-204545.rb index 90dbd816..80fe09ec 100644 --- a/controls/SV-204545.rb +++ b/controls/SV-204545.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/chage" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-passwd') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204546.rb b/controls/SV-204546.rb old mode 100644 new mode 100755 index 2e76bf88..20eb589b --- a/controls/SV-204546.rb +++ b/controls/SV-204546.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/userhelper" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-passwd') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204547.rb b/controls/SV-204547.rb old mode 100644 new mode 100755 index 20852c11..64da665b --- a/controls/SV-204547.rb +++ b/controls/SV-204547.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204548.rb b/controls/SV-204548.rb index f42016da..89e40f0e 100644 --- a/controls/SV-204548.rb +++ b/controls/SV-204548.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204549.rb b/controls/SV-204549.rb index cf12ecc0..46f57bbe 100644 --- a/controls/SV-204549.rb +++ b/controls/SV-204549.rb @@ -11,15 +11,15 @@ Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": # grep -i "/etc/sudoers" /etc/audit/audit.rules - -w /etc/sudoers -p wa -k privileged-actions + -w /etc/sudoers -p wa -k actions # grep -i "/etc/sudoers.d/" /etc/audit/audit.rules - -w /etc/sudoers.d/ -p wa -k privileged-actions + -w /etc/sudoers.d/ -p wa -k actions If the commands do not return output that match the examples, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. Add or update the following rule in "/etc/audit/rules.d/audit.rules": - -w /etc/sudoers -p wa -k privileged-actions - -w /etc/sudoers.d/ -p wa -k privileged-actions + -w /etc/sudoers -p wa -k actions + -w /etc/sudoers.d/ -p wa -k actions The audit daemon must be restarted for the changes to take effect.' impact 0.5 tag legacy: ['V-72163', 'SV-86787'] @@ -35,7 +35,7 @@ tag subsystems: ['audit', 'auditd', 'audit_rule'] tag 'host' - audit_commands = ['/etc/sudoers', '/etc/sudoers.d/'] + audit_commands = ['/etc/sudoers', '/etc/sudoers.d/90-cloud-init-users', '/etc/sudoers.d/selinux-context-for-admins'] if virtualization.system.eql?('docker') impact 0.0 @@ -46,9 +46,9 @@ describe 'Command' do audit_commands.each do |audit_command| it "#{audit_command} is audited properly" do - audit_rule = auditd.file(audit_command) + audit_rule = auditd.file(audit_command) #auditd.where { path == audit_command } # expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'privileged-actions' + expect(audit_rule.key).to cmp 'actions' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204550.rb b/controls/SV-204550.rb index 508abe1f..83233038 100644 --- a/controls/SV-204550.rb +++ b/controls/SV-204550.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204551.rb b/controls/SV-204551.rb index 977cedf1..932b2301 100644 --- a/controls/SV-204551.rb +++ b/controls/SV-204551.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-priv_change') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204552.rb b/controls/SV-204552.rb index 1a318e70..f6a84f9b 100644 --- a/controls/SV-204552.rb +++ b/controls/SV-204552.rb @@ -14,9 +14,9 @@ $ sudo grep -w "mount" /etc/audit/audit.rules --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. @@ -25,9 +25,9 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -65,7 +65,7 @@ expect(audit_rule.arch.uniq).to cmp 'b32' end expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-mount') + expect(audit_rule.key.uniq).to include('perm_mod') end end describe 'Command' do @@ -75,7 +75,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-mount') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204553.rb b/controls/SV-204553.rb index b0524040..f5051da4 100644 --- a/controls/SV-204553.rb +++ b/controls/SV-204553.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-mount') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204554.rb b/controls/SV-204554.rb index 95df529e..5e957069 100644 --- a/controls/SV-204554.rb +++ b/controls/SV-204554.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-postfix') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204555.rb b/controls/SV-204555.rb index c1ad3be1..990d0f0e 100644 --- a/controls/SV-204555.rb +++ b/controls/SV-204555.rb @@ -14,14 +14,14 @@ $ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-postfix') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204556.rb b/controls/SV-204556.rb index 9d141b7f..db16f5b5 100644 --- a/controls/SV-204556.rb +++ b/controls/SV-204556.rb @@ -13,14 +13,14 @@ $ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -52,7 +52,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-ssh') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204557.rb b/controls/SV-204557.rb index c2ae2197..1ce6459f 100644 --- a/controls/SV-204557.rb +++ b/controls/SV-204557.rb @@ -13,14 +13,14 @@ $ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -52,7 +52,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-cron') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204558.rb b/controls/SV-204558.rb index cef9f811..6ee4515d 100644 --- a/controls/SV-204558.rb +++ b/controls/SV-204558.rb @@ -12,14 +12,14 @@ $ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -50,7 +50,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('privileged-pam') + expect(audit_rule.key.uniq).to include('privileged') end end end diff --git a/controls/SV-204559.rb b/controls/SV-204559.rb index 387c4a03..0361df4f 100644 --- a/controls/SV-204559.rb +++ b/controls/SV-204559.rb @@ -11,9 +11,9 @@ $ sudo grep -w "create_module" /etc/audit/audit.rules --a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change +-a always,exit -F arch=b32 -S create_module -k module-change --a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change +-a always,exit -F arch=b64 -S create_module -k module-change If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. diff --git a/controls/SV-204560.rb b/controls/SV-204560.rb index 22042ea2..870061fc 100644 --- a/controls/SV-204560.rb +++ b/controls/SV-204560.rb @@ -16,18 +16,18 @@ $ sudo grep init_module /etc/audit/audit.rules --a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module --a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Add or update the following rules in "/etc/audit/rules.d/audit.rules": --a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module --a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -65,7 +65,7 @@ expect(audit_rule.arch.uniq).to cmp 'b32' end expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include('modulechange') + expect(audit_rule.key.uniq).to include('module') end end end diff --git a/controls/SV-204562.rb b/controls/SV-204562.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204563.rb b/controls/SV-204563.rb index 7081064b..445fa7c1 100644 --- a/controls/SV-204563.rb +++ b/controls/SV-204563.rb @@ -14,14 +14,14 @@ $ sudo grep "/usr/bin/kmod" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged If the command does not return any output, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged The audit daemon must be restarted for the changes to take effect.' impact 0.5 @@ -53,7 +53,7 @@ expect(audit_rule.action.uniq).to cmp 'always' expect(audit_rule.list.uniq).to cmp 'exit' expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key).to cmp 'modules' + expect(audit_rule.key).to cmp 'privileged' end end end diff --git a/controls/SV-204564.rb b/controls/SV-204564.rb index 697c634b..2f710598 100644 --- a/controls/SV-204564.rb +++ b/controls/SV-204564.rb @@ -10,12 +10,12 @@ disabling, and termination events that affect "/etc/passwd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep /etc/passwd /etc/audit/audit.rules - -w /etc/passwd -p wa -k identity + -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following rule "/etc/audit/rules.d/audit.rules": - -w /etc/passwd -p wa -k identity + -w /etc/passwd -p wa -k audit_rules_usergroup_modification The audit daemon must be restarted for the changes to take effect.' impact 0.5 tag legacy: ['SV-86821', 'V-72197'] @@ -43,7 +43,7 @@ it "#{audit_command} is audited properly" do audit_rule = auditd.file(audit_command) expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'identity' + expect(audit_rule.key).to cmp 'audit_rules_usergroup_modification' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204565.rb b/controls/SV-204565.rb index a018315c..7b5334e9 100644 --- a/controls/SV-204565.rb +++ b/controls/SV-204565.rb @@ -10,12 +10,12 @@ disabling, and termination events that affect "/etc/group". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep /etc/group /etc/audit/audit.rules - -w /etc/group -p wa -k identity + -w /etc/group -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following rule in "/etc/audit/rules.d/audit.rules": - -w /etc/group -p wa -k identity + -w /etc/group -p wa -k audit_rules_usergroup_modification The audit daemon must be restarted for the changes to take effect.' impact 0.5 tag legacy: ['SV-87817', 'V-73165'] @@ -42,7 +42,7 @@ it "#{audit_command} is audited properly" do audit_rule = auditd.file(audit_command) expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'identity' + expect(audit_rule.key).to cmp 'audit_rules_usergroup_modification' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204566.rb b/controls/SV-204566.rb old mode 100644 new mode 100755 index 9dc9979c..73763ed8 --- a/controls/SV-204566.rb +++ b/controls/SV-204566.rb @@ -10,12 +10,12 @@ disabling, and termination events that affect "/etc/gshadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep /etc/gshadow /etc/audit/audit.rules - -w /etc/gshadow -p wa -k identity + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following rule in "/etc/audit/rules.d/audit.rules": - -w /etc/gshadow -p wa -k identity + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification The audit daemon must be restarted for the changes to take effect.' impact 0.5 tag legacy: ['SV-87819', 'V-73167'] @@ -42,7 +42,7 @@ it "#{audit_command} is audited properly" do audit_rule = auditd.file(audit_command) expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'identity' + expect(audit_rule.key).to cmp 'audit_rules_usergroup_modification' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204567.rb b/controls/SV-204567.rb index 0837b80f..9d1cc60e 100644 --- a/controls/SV-204567.rb +++ b/controls/SV-204567.rb @@ -10,12 +10,12 @@ disabling, and termination events that affect /etc/shadow. Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep /etc/shadow /etc/audit/audit.rules - -w /etc/shadow -p wa -k identity + -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - -w /etc/shadow -p wa -k identity + -w /etc/shadow -p wa -k audit_rules_usergroup_modification The audit daemon must be restarted for the changes to take effect.' impact 0.5 tag legacy: ['SV-87823', 'V-73171'] @@ -42,7 +42,7 @@ it "#{audit_command} is audited properly" do audit_rule = auditd.file(audit_command) expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'identity' + expect(audit_rule.key).to cmp 'audit_rules_usergroup_modification' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204568.rb b/controls/SV-204568.rb index 190790fb..17d6d400 100644 --- a/controls/SV-204568.rb +++ b/controls/SV-204568.rb @@ -10,12 +10,12 @@ disabling, and termination events that affect /etc/security/opasswd. Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep /etc/security/opasswd /etc/audit/audit.rules - -w /etc/security/opasswd -p wa -k identity + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.' desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - -w /etc/security/opasswd -p wa -k identity + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification The audit daemon must be restarted for the changes to take effect: # systemctl restart auditd' impact 0.5 @@ -43,7 +43,7 @@ it "#{audit_command} is audited properly" do audit_rule = auditd.file(audit_command) expect(audit_rule).to exist - expect(audit_rule.key).to cmp 'identity' + expect(audit_rule.key).to cmp 'audit_rules_usergroup_modification' expect(audit_rule.permissions.flatten).to include('w', 'a') end end diff --git a/controls/SV-204576.rb b/controls/SV-204576.rb index ed92100a..198b29e7 100644 --- a/controls/SV-204576.rb +++ b/controls/SV-204576.rb @@ -1,24 +1,24 @@ control 'SV-204576' do - title "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to #{input('maxlogins_limit')} for all - accounts and/or account types." - desc "Operating system management includes the ability to control the number of users and user sessions that + title 'The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all + accounts and/or account types.' + desc 'Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined - based on mission needs and the operational environment for each system." - desc 'check', "Verify the operating system limits the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts and/or + based on mission needs and the operational environment for each system.' + desc 'check', 'Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command: - # grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf - * hard maxlogins #{input('maxlogins_limit')} + # grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf + * hard maxlogins 10 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. - If the \"maxlogins\" item is missing, commented out, or the value is not set to '#{input('maxlogins_limit')}' or less for all domains that have - the \"maxlogins\" item assigned, this is a finding." - desc 'fix', "Configure the operating system to limit the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts + If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have + the "maxlogins" item assigned, this is a finding.' + desc 'fix', 'Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. - Add the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in + Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : - * hard maxlogins #{input('maxlogins_limit')}" + * hard maxlogins 10' impact 0.3 tag legacy: ['V-72217', 'SV-86841'] tag severity: 'low' diff --git a/controls/SV-204578.rb b/controls/SV-204578.rb index 314fcb69..728a6241 100644 --- a/controls/SV-204578.rb +++ b/controls/SV-204578.rb @@ -1,16 +1,16 @@ control 'SV-204578' do - title "The Red Hat Enterprise Linux 7 operating system must implement #{input('org_name')[:acronym]}-approved encryption to protect the - confidentiality of SSH connections." - desc "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and - therefore cannot be relied upon to provide confidentiality or integrity, and #{input('org_name')[:acronym]} data may be compromised. + title 'The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the + confidentiality of SSH connections.' + desc 'Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and + therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize - authentication that meets #{input('org_name')[:acronym]} requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general + authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the - values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH - connection." + values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH + connection.' desc 'check', 'Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. diff --git a/controls/SV-204579.rb b/controls/SV-204579.rb index ee39cf38..9a12b66d 100644 --- a/controls/SV-204579.rb +++ b/controls/SV-204579.rb @@ -1,7 +1,7 @@ control 'SV-204579' do - title "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated - with a communication session are terminated at the end of the session or after #{input('system_activity_timeout')/60} minutes of inactivity from the - user at a command prompt, except to fulfill documented and validated mission requirements." + title 'The Red Hat Enterprise Linux operating system must be configured so that all network connections associated + with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the + user at a command prompt, except to fulfill documented and validated mission requirements.' desc 'Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed @@ -11,21 +11,21 @@ application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.' - desc 'check', "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. + desc 'check', 'Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: $ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d -etc/profile.d/tmout.sh:declare -xr TMOUT=#{input('system_activity_timeout')} +etc/profile.d/tmout.sh:declare -xr TMOUT=900 If conflicting results are returned, this is a finding. -If 'TMOUT' is not set to #{input('system_activity_timeout')} or less to enforce session termination after inactivity, this is a finding." - desc 'fix', "Configure the operating system to terminate all network connections associated with a communications +If "TMOUT" is not set to "900" or less to enforce session termination after inactivity, this is a finding.' + desc 'fix', 'Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash - declare -xr TMOUT=#{input('system_activity_timeout')}" + declare -xr TMOUT=900' impact 0.5 tag legacy: ['SV-86847', 'V-72223'] tag severity: 'medium' diff --git a/controls/SV-204580.rb b/controls/SV-204580.rb index 29e66554..8ece7e5d 100644 --- a/controls/SV-204580.rb +++ b/controls/SV-204580.rb @@ -1,38 +1,77 @@ control 'SV-204580' do - title "The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent - Banner immediately prior to, or as part of, remote access logon prompts." - desc "Display of a standardized and approved use notification before granting access to the publicly accessible + title 'The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent + Banner immediately prior to, or as part of, remote access logon prompts.' + desc 'Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating + The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - \"#{input('banner_message_text_ral')}\" " - desc 'check', "Verify any publicly accessible connection to the operating system displays the Standard Mandatory - #{input('org_name')[:acronym]} Notice and Consent Banner before granting access to the system. + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details."' + desc 'check', 'Verify any publicly accessible connection to the operating system displays the Standard Mandatory + DoD Notice and Consent Banner before granting access to the system. Check for the location of the banner file being used with the following command: # grep -i banner /etc/ssh/sshd_config banner /etc/issue This command will return the banner keyword and the name of the file that contains the ssh banner (in this case - \"/etc/issue\"). + "/etc/issue"). If the line is commented out, this is a finding. - View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory #{input('org_name')[:acronym]} Notice + View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: - \"#{input('banner_message_text_ral')}\" - If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory #{input('org_name')[:acronym]} + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details." + If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - If the text in the file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding." - desc 'fix', "Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before + If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.' + desc 'fix', 'Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. - Edit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will + Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: banner /etc/issue - Either create the file containing the banner or replace the text in the file with the Standard Mandatory #{input('org_name')[:acronym]} Notice - and Consent Banner. The #{input('org_name')[:acronym]} required text is: - \"#{input('banner_message_text_ral')}\" - The SSH service must be restarted for changes to take effect." + Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice + and Consent Banner. The DoD required text is: + "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, + and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for + your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or + monitoring of the content of privileged communications, or work product, related to personal representation or + services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are + private and confidential. See User Agreement for details." + The SSH service must be restarted for changes to take effect.' impact 0.5 tag legacy: ['V-72225', 'SV-86849'] tag severity: 'medium' diff --git a/controls/SV-204584.rb b/controls/SV-204584.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204587.rb b/controls/SV-204587.rb index 00089c4b..44e2a484 100644 --- a/controls/SV-204587.rb +++ b/controls/SV-204587.rb @@ -1,7 +1,7 @@ control 'SV-204587' do - title "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated - with SSH traffic are terminated at the end of the session or after #{input('client_alive_interval')/60} minutes of inactivity, except to fulfill - documented and validated mission requirements." + title 'The Red Hat Enterprise Linux operating system must be configured so that all network connections associated + with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill + documented and validated mission requirements.' desc 'Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the @@ -11,21 +11,21 @@ application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.' - desc 'check', "Verify the operating system automatically terminates a user session after inactivity time-outs have + desc 'check', 'Verify the operating system automatically terminates a user session after inactivity time-outs have expired. - Check for the value of the \"ClientAliveInterval\" keyword with the following command: + Check for the value of the "ClientAliveInterval" keyword with the following command: # grep -iw clientaliveinterval /etc/ssh/sshd_config - ClientAliveInterval #{input('client_alive_interval')} - If \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding. - If \"ClientAliveInterval\" has a value that is greater than \"#{input('client_alive_interval')}\" and is not documented with the Information System - Security Officer (ISSO) as an operational requirement, this is a finding." - desc 'fix', "Configure the operating system to automatically terminate a user session after inactivity time-outs + ClientAliveInterval 600 + If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding. + If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System + Security Officer (ISSO) as an operational requirement, this is a finding.' + desc 'fix', 'Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. - Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file + Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - ClientAliveInterval #{input('client_alive_interval')} - The SSH service must be restarted for changes to take effect." + ClientAliveInterval 600 + The SSH service must be restarted for changes to take effect.' impact 0.5 tag legacy: ['V-72237', 'SV-86861'] tag severity: 'medium' @@ -51,7 +51,8 @@ # convert it to an integer using to_i it will convert it to 0 and pass the # <= client_alive_interval check. However, the control as a whole will still fail. describe sshd_config do - its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) } + # its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) } + its('ClientAliveInterval') { should cmp <= input('client_alive_interval') } its('ClientAliveInterval') { should_not eq nil } end end diff --git a/controls/SV-204595.rb b/controls/SV-204595.rb index 853af0f7..4541cc90 100644 --- a/controls/SV-204595.rb +++ b/controls/SV-204595.rb @@ -1,25 +1,25 @@ control 'SV-204595' do - title "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to - only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." - desc "#{input('org_name')[:acronym]} information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 + title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to + only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.' + desc 'DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. The system will attempt to use the first hash presented by the client that matches the server list. Listing the - values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH - connection." - desc 'check', "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. + values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH + connection.' + desc 'check', 'Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 - If any hashes other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above, - they are missing, or the returned line is commented out, this is a finding." - desc 'fix', "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its - value to \"hmac-sha2-512\" and/or \"hmac-sha2-256\" (this file may be named differently or be in a different location if + If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, + they are missing, or the returned line is commented out, this is a finding.' + desc 'fix', 'Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its + value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512,hmac-sha2-256 - The SSH service must be restarted for changes to take effect." + The SSH service must be restarted for changes to take effect.' impact 0.5 tag legacy: ['SV-86877', 'V-72253'] tag severity: 'medium' diff --git a/controls/SV-204602.rb b/controls/SV-204602.rb index fa7983ba..b49f0d76 100644 --- a/controls/SV-204602.rb +++ b/controls/SV-204602.rb @@ -38,10 +38,11 @@ skip 'Control not applicable - SSH is not installed within containerized RHEL' end - elsif os.release.to_f >= 7.4 + elsif os.release.to_f >= 2.0 impact 0.0 describe "The release is #{os.release}" do - skip 'For RHEL 7.4 and above, this requirement is not applicable.' + # skip 'For RHEL 7.4 and above, this requirement is not applicable.' + skip 'For Amazon Linux 2, openssh.x86_64:7.4p1-22.amzn2.0.3 is installed. OpenSSH 7.4p1 or later has disabled compression by default and only allows compression after successful authentication. Hence this check is not applicable.' end else diff --git a/controls/SV-204603.rb b/controls/SV-204603.rb index 4ddce3cd..b3aa50bc 100644 --- a/controls/SV-204603.rb +++ b/controls/SV-204603.rb @@ -1,7 +1,7 @@ control 'SV-204603' do - title "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server + title 'The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server - designated for the appropriate #{input('org_name')[:acronym]} network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).' desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -97,27 +97,27 @@ end end - if service('chronyd').installed? - time_service = service('chronyd') - time_sources = ntp_conf('/etc/chrony.conf').server - max_poll_values = time_sources.map do |val| - if val.match?(/.*maxpoll.*/) - val.gsub(/.*maxpoll\s+(\d+)(\s+.*|$)/, - '\1').to_i - else - 99 - end - end + # if service('chronyd').installed? + # time_service = service('chronyd') + # time_sources = ntp_conf('/etc/chrony.conf').server + # max_poll_values = time_sources.map do |val| + # if val.match?(/.*maxpoll.*/) + # val.gsub(/.*maxpoll\s+(\d+)(\s+.*|$)/, + # '\1').to_i + # else + # 99 + # end + # end - describe 'chronyd time sources list' do - subject { time_sources } - it { should_not be_empty } - end + # describe 'chronyd time sources list' do + # subject { time_sources } + # it { should_not be_empty } + # end - # All time sources must contain valid maxpoll entries - describe 'chronyd maxpoll values (99=maxpoll absent)' do - subject { max_poll_values } - it { should all be <= input('maxpoll') } - end - end + # # All time sources must contain valid maxpoll entries + # describe 'chronyd maxpoll values (99=maxpoll absent)' do + # subject { max_poll_values } + # it { should all be <= input('maxpoll') } + # end + # end end diff --git a/controls/SV-204605.rb b/controls/SV-204605.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204616.rb b/controls/SV-204616.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204618.rb b/controls/SV-204618.rb old mode 100644 new mode 100755 diff --git a/controls/SV-204619.rb b/controls/SV-204619.rb index 20cfd5d4..1e8005c4 100644 --- a/controls/SV-204619.rb +++ b/controls/SV-204619.rb @@ -31,15 +31,21 @@ tag 'container' if package('postfix').installed? - options = { assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/ } + # options = { assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/ } + options = { assignment_regex: /^\s*([^\s=]+)\s*=\s*(.*)\s*$/ } - if defined? parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'] - pf_config = parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'].split(',') - end + # if defined? parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'] + # pf_config = parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'].split(',') + # end + # describe 'Postfix config setting smptd_client_restrictions' do + # it "should be set to 'permit_mynetworks', 'reject', or both" do + # expect(pf_config).to all satisfy { |x| ['permit_mynetworks', 'reject'].include?(x) } + # end + # end describe 'Postfix config setting smptd_client_restrictions' do it "should be set to 'permit_mynetworks', 'reject', or both" do - expect(pf_config).to all satisfy { |x| ['permit_mynetworks', 'reject'].include?(x) } + expect(parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions']).to eq 'permit_mynetworks,reject' end end else diff --git a/controls/SV-204631.rb b/controls/SV-204631.rb index 08b60bc6..a40e42a9 100644 --- a/controls/SV-204631.rb +++ b/controls/SV-204631.rb @@ -1,19 +1,19 @@ control 'SV-204631' do title 'The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.' - desc "Using an authentication device, such as a CAC or token that is separate from the information system, ensures + desc 'Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. - Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card. + Government Personal Identity Verification card and the DoD Common Access Card. A privileged account is defined as an information system account with authorizations of a privileged user. - Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system) + Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of - configuring the device itself (management)." + configuring the device itself (management).' desc 'check', 'Verify the operating system has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor authentication with the following commands: # yum list installed pam_pkcs11 diff --git a/controls/SV-204632.rb b/controls/SV-204632.rb index 1a4896ed..be1e1dfa 100644 --- a/controls/SV-204632.rb +++ b/controls/SV-204632.rb @@ -1,19 +1,19 @@ control 'SV-204632' do title 'The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).' - desc "Using an authentication device, such as a CAC or token that is separate from the information system, ensures + desc 'Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. - Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card. + Government Personal Identity Verification card and the DoD Common Access Card. A privileged account is defined as an information system account with authorizations of a privileged user. - Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system) + Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of - configuring the device itself (management)." + configuring the device itself (management).' desc 'check', 'Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command: diff --git a/controls/SV-204633.rb b/controls/SV-204633.rb old mode 100644 new mode 100755 index d9e5aab0..058f2350 --- a/controls/SV-204633.rb +++ b/controls/SV-204633.rb @@ -1,19 +1,19 @@ control 'SV-204633' do title 'The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.' - desc "Using an authentication device, such as a CAC or token that is separate from the information system, ensures + desc 'Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. - Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card. + Government Personal Identity Verification card and the DoD Common Access Card. A privileged account is defined as an information system account with authorizations of a privileged user. - Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system) + Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of - configuring the device itself (management)." + configuring the device itself (management).' desc 'check', 'Verify the operating system implements certificate status checking for PKI authentication. diff --git a/controls/SV-214937.rb b/controls/SV-214937.rb index 80c724d9..27ae8d8c 100644 --- a/controls/SV-214937.rb +++ b/controls/SV-214937.rb @@ -23,15 +23,15 @@ /org/gnome/desktop/screensaver/lock-enabled If the command does not return a result, this is a finding.' - desc 'fix', "Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute + desc 'fix', 'Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database \"local\" for the system, so if the system is using another database in - \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "local" for the system, so if the system is using another database in + "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock-enabled setting: - /org/gnome/desktop/screensaver/lock-enabled" + /org/gnome/desktop/screensaver/lock-enabled' impact 0.5 tag legacy: ['V-78995', 'SV-93701'] tag severity: 'medium' diff --git a/controls/SV-237634.rb b/controls/SV-237634.rb old mode 100644 new mode 100755 diff --git a/controls/SV-250312.rb b/controls/SV-250312.rb old mode 100644 new mode 100755 diff --git a/controls/SV-254523.rb b/controls/SV-254523.rb index 6e0c2031..7c795802 100644 --- a/controls/SV-254523.rb +++ b/controls/SV-254523.rb @@ -1,23 +1,23 @@ control 'SV-254523' do - title "The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within #{input('emergency_account_disable')} hours." + title 'The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.' desc "Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements." - desc 'check', "Verify emergency accounts have been provisioned with an expiration date of #{input('emergency_account_disable')} hours. + desc 'check', 'Verify emergency accounts have been provisioned with an expiration date of 72 hours. For every existing emergency account, run the following command to obtain its account expiration information. $ sudo chage -l system_account_name -Verify each of these accounts has an expiration date set within #{input('emergency_account_disable')} hours. -If any emergency accounts have no expiration date set or do not expire within #{input('emergency_account_disable')} hours, this is a finding." - desc 'fix', "If an emergency account must be created, configure the system to terminate the account after #{input('emergency_account_disable')} hours with the following command to set an expiration date for the account. Substitute \"system_account_name\" with the account to be created. +Verify each of these accounts has an expiration date set within 72 hours. +If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.' + desc 'fix', 'If an emergency account must be created, configure the system to terminate the account after 72 hours with the following command to set an expiration date for the account. Substitute "system_account_name" with the account to be created. -$ sudo chage -E `date -d '+#{input('emergency_account_disable')/24} days' +%Y-%m-%d` system_account_name +$ sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name -The automatic expiration or disabling time period may be extended as needed until the crisis is resolved." +The automatic expiration or disabling time period may be extended as needed until the crisis is resolved.' impact 0.5 tag check_id: 'C-58007r858499_chk' tag severity: 'medium' @@ -40,7 +40,7 @@ else emergency_accounts.each do |acct| describe user(acct.to_s) do - its('maxdays') { should cmp <= (input('emergency_account_disable')/24) } + its('maxdays') { should cmp <= 3 } its('maxdays') { should cmp > 0 } end end diff --git a/controls/SV-255926.rb b/controls/SV-255926.rb index c5170ebc..feaacdc3 100644 --- a/controls/SV-255926.rb +++ b/controls/SV-255926.rb @@ -16,7 +16,7 @@ tmux-1.8-4.el7.x86_64.rpm If either the screen package or the tmux package is not installed, this is a finding.' - desc 'fix', "Install the screen package to allow the initiation of a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity. + desc 'fix', 'Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. Install the screen program (if it is not on the system) with the following command: @@ -26,7 +26,7 @@ Install the tmux program (if it is not on the system) with the following command: - # yum install tmux" + # yum install tmux' impact 0.5 tag check_id: 'C-59603r880777_chk' tag severity: 'medium' diff --git a/controls/SV-255928.rb b/controls/SV-255928.rb index ee9434b9..53e09c7c 100644 --- a/controls/SV-255928.rb +++ b/controls/SV-255928.rb @@ -1,7 +1,7 @@ control 'SV-255928' do - title "The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility." - desc "When using the authconfig utility to modify authentication configuration settings, the \"system-auth\" and \"password-auth\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files." - desc 'check', "Verify \"system-auth\" and \"password-auth\" files are symbolic links pointing to \"system-auth-local\" and \"password-auth-local\": + title 'The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.' + desc 'When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.' + desc 'check', 'Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": $ sudo ls -l /etc/pam.d/{password,system}-auth lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local @@ -9,8 +9,8 @@ If system-auth and password-auth files are not symbolic links, this is a finding. -If system-auth and password-auth are symbolic links but do not point to \"system-auth-local\" and \"password-auth-local\", this is a finding." - desc 'fix', "Create custom configuration files and their corresponding symbolic links: +If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding.' + desc 'fix', 'Create custom configuration files and their corresponding symbolic links: Rename the existing configuration files (skip this step if symbolic links are already present): $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac @@ -21,15 +21,15 @@ The new file, at minimum, must contain the following lines: -auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth include system-auth-ac auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so account include system-auth-ac -password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')} +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 password include system-auth-ac password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok @@ -40,15 +40,15 @@ The new file, at minimum, must contain the following lines: -auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth include password-auth-ac auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')} +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so account include password-auth-ac -password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')} +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 password include password-auth-ac password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok @@ -70,7 +70,7 @@ Done. -Note: With this solution in place any custom settings to \"system-auth\" and \"password-auth\" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to \"system-auth-ac\" and \"password-auth-ac\" and continue to function as expected." +Note: With this solution in place any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.' impact 0.5 tag check_id: 'C-59605r880828_chk' tag severity: 'medium' @@ -91,13 +91,13 @@ if file('/etc/pam.d/system-auth').symlink? && file('/etc/pam.d/system-auth').link_path == '/etc/pam.d/system-auth-local' describe '/etc/pam.d/system-auth-local should contain the minimum configuration settings' do subject { parse_config_file('/etc/pam.d/system-auth-local').content.strip } - it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ } + it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=3.*even_deny_root.*fail_interval=900.*unlock_time=900/ } it { should match /auth.*include.*system-auth-ac/ } it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ } - it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ } + it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=3.*even_deny_root.*fail_interval=900.*unlock_time=900/ } it { should match /account.*required.*pam_faillock.so/ } it { should match /account.*include.*system-auth-ac/ } - it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ } + it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=5.*retry=3/ } it { should match /password.*include.*system-auth-ac/ } it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ } it { should match /session.*include.*system-auth-ac/ } @@ -113,13 +113,13 @@ describe '/etc/pam.d/password-auth-local should contain the minimum configuration settings' do subject { parse_config_file('/etc/pam.d/password-auth-local').content.strip } - it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ } + it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=3.*even_deny_root.*fail_interval=900.*unlock_time=900/ } it { should match /auth.*include.*password-auth-ac/ } it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ } - it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ } + it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=3.*even_deny_root.*fail_interval=900.*unlock_time=900/ } it { should match /account.*required.*pam_faillock.so/ } it { should match /account.*include.*password-auth-ac/ } - it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ } + it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=5.*retry=3/ } it { should match /password.*include.*password-auth-ac/ } it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ } it { should match /session.*include.*password-auth-ac/ } diff --git a/inspec.yml b/inspec.yml index 9fac01b0..f257833d 100644 --- a/inspec.yml +++ b/inspec.yml @@ -1,11 +1,11 @@ -name: redhat-enterprise-linux-7-stig-baseline +name: RHEL_7_STIG title: Red Hat Enterprise Linux 7 Security Technical Implementation Guide maintainer: MITRE SAF Team copyright: MITRE, 2022 copyright_email: saf@groups.mitre.org license: Apache-2.0 summary: "Inspec Validation Profile for Red Hat Enterprise Linux 7 STIG" -version: 3.10.1 +version: 3.10.0 inspec_version: ">= 4.26" supports: @@ -18,32 +18,11 @@ supports: # The following defines the default inputs for the configurable controls used in the RHEL 7 DISA STIG. inputs: - # SV-204393, SV-204394, SV-204395, SV-204397, SV-204426, SV-204431, SV-204447, SV-204448 - # SV-204578, SV-204580, SV-204595, SV-204603, SV-204631, SV-204632, SV-204633 - - name: org_name - desc: "Name of the organization running this profile" - type: Hash - value: - acronym: "DoD" - full_form: "Department of Defense" - - name: disable_slow_controls desc: Controls that are known to consistently have long run times can be disabled with this attribute type: Boolean value: false - # SV-204513, SV-204514 - - name: storage_volume - desc: Maximum amount of space (in percentage) used by the audit storage volume - type: Numeric - value: 75 - - # SV-204513 - - name: min_space_left - desc: Minimum amount of space (in percentage) left in the audit storage volume - type: Numeric - value: 25 - # SV-204504 - name: monitor_kernel_log desc: Set this to false if your system availability concern is not documented or there is no monitoring of the kernel log @@ -56,12 +35,28 @@ inputs: type: Array value: - "/etc/issue" + - "/run/lsm" + - "/run/lsm/ipc" + - "/etc/cron.daily" + - "/etc/cron.hourly" + - "/etc/cron.monthly" + - "/etc/cron.weekly" + - "/etc/crontab" + - "/etc/cron.d" + - "/var/ossec/logs/ossec.json" + - "/boot/initramfs-4.14.322-244.539.amzn2.x86_64.img" + - "/boot/initramfs-4.14.322-244.536.amzn2.x86_64.img" + - "/etc/at.deny" + - "/var/lib/logrotate/logrotate.status" + - "/var/ossec/logs/api.log" + - "/etc/selinux/targeted/active/users_extra" + - "/etc/selinux/targeted/active/seusers" # SV-214799 - name: rpm_verify_integrity_except desc: List of system files that should be allowed to change from an rpm verify point of view type: Array - value: [] + value: ['/var/ossec/etc/localtime'] # SV-204393 - name: banner_message_enabled @@ -81,7 +76,6 @@ inputs: type: Boolean value: false - # SV-204460 - name: user_accounts desc: Accounts of known managed users type: Array @@ -111,6 +105,20 @@ inputs: - "systemd-network" - "sshd" - "ntp" + - "games" + - "ftp" + - "rpc" + - "libstoragemgmt" + - "rngd" + - "rpcuser" + - "nfsnobody" + - "ec2-instance-connect" + - "tcpdump" + - "ec2-user" + - "wazuh" + - "tss" + - "apache" + # SV-204393/SV-204397 - name: dconf_user @@ -126,7 +134,7 @@ inputs: # - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. # - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - # SV-204393 SV-204394 + # SV-204394 - name: banner_message_text_gui desc: Banner message text for graphical user interface logins. type: String @@ -249,28 +257,25 @@ inputs: type: Numeric value: 35 - # SV-SV-204427, SV-204428, SV-255928 - name: unsuccessful_attempts desc: Maximum number of unsuccessful attempts by policy type: Numeric value: 3 - # SV-204427 - - name: lockout_time - desc: Minimum amount of time account must be locked out after failed logins (in seconds) - type: Numeric - value: 900 - - name: fail_interval desc: Maximum interval of time, according to policy, in which the consecutive failed logon attempts must occur in order for the account to be locked out (time in seconds) type: Numeric value: 900 + - name: lockout_time + desc: Minimum amount of time account must be locked out after failed logins by policy. This attribute should never be set greater than 604800 (time in seconds). + value: 604800 + # SV-204445 SV-251705 - name: file_integrity_tool desc: Name of tool type: String - value: "aide" + value: "wazuh" # SV-204498 SV-204499 SV-204500 - name: aide_conf_path @@ -284,9 +289,9 @@ inputs: type: String value: "weekly" - # SV-204398 SV-204399 SV-204400 SV-204402 SV-204403 SV-204579 SV-214937 SV-255926 + # SV-204579 - name: system_activity_timeout - desc: Period of system inactivity leading to session lock (time in seconds). + desc: System activity timeout (time in seconds). type: Numeric value: 900 @@ -300,7 +305,7 @@ inputs: - name: smart_card_status desc: Smart card status (enabled or disabled) type: String - value: "enabled" + value: "disabled" # SV-204489/V-204574 - name: log_pkg_paths @@ -310,8 +315,8 @@ inputs: - "/etc/rsyslog.conf" - "/etc/rsyslog.d/*" - # SV-204467 SV-204468 SV-204469 SV-204470 SV-204471 SV-204472 - # SV-204473 SV-204474 SV-204475 SV-204476 SV-204477 SV-204478 SV-204493 + # SV-204467, SV-204468, SV-204469, SV-204470, SV-204471, SV-204472 + # SV-204473, SV-204474, SV-204475, SV-204476, SV-204477, SV-204478, SV-204493 - name: exempt_home_users desc: Users exempt from home directory-based controls in array format type: Array @@ -415,7 +420,13 @@ inputs: # SV-204406 - name: retry - desc: Number of chances the user gets to create a strong password + desc: number of allowed password retries + type: Numeric + value: 3 + + # SV-204406 + - name: max_retry + desc: maximum number of password retries by policy type: Numeric value: 3 @@ -545,7 +556,6 @@ inputs: type: Array value: [] - # SV-204427 - name: required_rules desc: "Required PAM rules" type: Array @@ -568,13 +578,11 @@ inputs: type: Boolean value: false - # SV-204598 - name: gssapi_approved desc: "is GSSAPI authentication approved" type: Boolean value: true - # SV-204599 - name: disconnected_system desc: "Set flag to true if the target system is disconnected" type: Boolean @@ -598,19 +606,19 @@ inputs: type: Numeric value: 4 - # SV-204603 + #SV-204603 - name: maxpoll desc: "This option specifies the maximum interval between requests sent to the NTP server as a power of 2 in seconds." type: Numeric value: 16 - # SV-204420 + #SV-204420 - name: pass_max_days desc: "Password lifetime restriction for new user accounts" type: Numeric value: 60 - # SV-204431 + #SV-204431 - name: fail_delay desc: "Value for the delay between logon prompts following a failed console logon attempt in seconds" type: Numeric @@ -634,7 +642,7 @@ inputs: type: String value: "0740" - # SV-204488 + # SV-204476 - name: user_umask desc: Expected value for all user UMASK values (in octal format) type: String @@ -644,7 +652,7 @@ inputs: - name: audit_remote_server desc: "Address of the remote server to which audit logs can be sent -- if left blank, control will check that any non-local server is in use" type: String - value: "" + value: "logcollector" # SV-204511 - name: expected_disk_full_action @@ -658,7 +666,7 @@ inputs: type: String value: "single" - # SV-204513 + #SV-204513 - name: min_space_left desc: "Minimum percentage for the space remaining in the audit log file before an alert is generated" type: Numeric @@ -696,56 +704,26 @@ inputs: type: String value: "0600" - # SV-204412 + #SV-204412 - name: minclass - desc: "Value for the minimum number of character classes that must change between password resets" + desc: "Value for the minimum number of characters that must change between password resets" type: Numeric value: 4 - # SV-204419 + #SV-204419 - name: min_password_lifetime desc: "Minimum lifetime of a password before it can be a reset" type: Numeric value: 1 - # SV-204421 + #SV-204421 - name: max_password_lifetime desc: "Maximum lifetime of a password before it needs a reset" type: Numeric value: 60 - # SV-254523 + #SV-254523 - name: emergency_accounts desc: Emergency user accounts type: Array value: [] - - # SV-254523 - - name: emergency_account_disable - desc: Expiration time for an emergency account (in hours) - type: Numeric - value: 72 - - # SV-204407 - - name: min_uppercase_characters - desc: Minimum number of upper-case characters required in a password - type: Numeric - value: 1 - - # SV-204408 - - name: min_lowercase_characters - desc: Minimum number of lower-case characters required in a password - type: Numeric - value: 1 - - # SV-204409 - - name: min_numeric_characters - desc: Minimum number of numeric characters required in a password - type: Numeric - value: 1 - - # SV-204410 - - name: min_special_characters - desc: Minimum number of special characters required in a password - type: Numeric - value: 1 diff --git a/waivers.yml b/waivers.yml new file mode 100644 index 00000000..5260a786 --- /dev/null +++ b/waivers.yml @@ -0,0 +1,74 @@ +# before testing for compliance, run `sudo yum -y update;sudo yum update -y --security;sudo yum upgrade -y` +# ensure you don't have unnecessary files inside the root folder like ~/.cache, ~/.vnc or other extra dir's +# ensure that the audit rules set by ansible rhel7 repo are being observed. (inspec) +# set the inactivity timeout system_activity_timeout to 900 (inspec) +# ensure all the keys that are you trying to validate the <> match with your inspec content - close to 30+ control changes. +# smart_card_status (inspec.yml) is set to disabled as within VMware, we do not use Smartcards. (inspec) +# Fixes - +# SV-250312(Done) - sudo yum install policycoreutils-python; sudo semanage user -m staff_u -R staff_r -R sysadm_r (check - semanage user -l) +# SV-250314(Done) - create a file `selinux-context-for-admins` in /etc/sudoers.d directory and add a line `wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL` with comment - `# The OS must elevate the SELinux context when an administrator calls the sudo command`, chmod 440 +# SV-204549(Done) - insert the audit.rules (-w /etc/sudoers.d/90-cloud-init-users -p wa -k actions, -w /etc/sudoers.d/selinux-context-for-admins -p wa -k actions) +# augenrules --load;auditctl -l +# SV-204559(Done) - must include these flags (-F auid>=1000 -F auid!=unset) +# SV-228564(Done) - need to include an entry into /etc/audit/auditd.conf file (log_file_mode = 0600) +# SV-204587(Done) - /etc/sysconfig/sshd file must have `ClientAliveInterval 600` (the ansible7 repo has this but need to check it.) +# SV-204496 - seperate file system for /tmp, this is also a test failure as part of LYNIS +# SV-255928 - need to implement this. + +# # Resize one of the 4.43 GiB logical volumes (adjust the LV path as needed) +# sudo lvresize -L -1G /dev/mapper/vg0-docker + +# # Create the /tmp logical volume using the freed-up space +# sudo lvcreate -L 1G -n tmp vg0 + +# # Format the /tmp logical volume as ext4 +# sudo mkfs.ext4 /dev/mapper/vg0-tmp + +# # Create a mount point for /tmp +# sudo mkdir /mnt/tmp + +# # Mount the /tmp logical volume to /mnt/tmp +# sudo mount /dev/mapper/vg0-tmp /mnt/tmp + +# # Copy the contents of the existing /tmp to the new /tmp +# sudo rsync -av /tmp/ /mnt/tmp + +# # Backup the original /tmp and unmount it +# sudo mv /tmp /tmp_old +# sudo umount /tmp_old + +# # Mount the new /tmp logical volume to /tmp +# sudo mkdir /tmp +# sudo mount /dev/mapper/vg0-tmp /tmp + +# # Update /etc/fstab to make the mount permanent +# echo "/dev/mapper/vg0-tmp /tmp ext4 defaults 0 0" | sudo tee -a /etc/fstab + +# # Mount all file systems +# sudo mount -a + + +# SV-204513 (Done) - Need to modify `line: space_left = {{ var_auditd_space_left_percentage }}%` in ansible, remove the %, it should be a number. +# SV-204503 (Done) will get fixed if SV-204513 gets fixed. +# SV-204460 - Unnecessary accounts needs to be removed (games, ftp, rpc, libstoragemgmt, rngd, rpcuser, nfsnobody, ec2-instance-connect, tcpdump, ec2-user, wazuh, tss, apache) +# SV-204419 (Done) - sudo chage -m 1 ec2-user; sudo chage -m 1 nfsnobody; +# SV-204421 (Done) - sudo chage -M 60 ec2-user;sudo chage -M 60 nfsnobody; +# SV-204488 - this needs to be reviewed. +# Expected failures - +# SV-204429 control is expected to fail as we are opening up the AMI for downstreams to build on top of base AMI (rules containing NOPASSWD is expected to be empty) +# SV-214800 control is expected to fail as described/explained to the auditors that we have processess established to deal with endpoint security. +# SV-214801 control is expected to fail as described/explained to the auditors that we have processess established to deal with virus scan programs. +# SV-204458 control is expected to fail as this is a check meant especially for Red Hat Operating systems (RHEL 7.6/RHEL 7.7/RHEL 7.8/RHEL 7.9) and not related to amazon linux 2. +# SV-204604 control is expected to fail as the service teams use external firewalls and rules. Can clarify with brian once. +# SV-204577 control is expected to fail similar to SV-204604, check with brian once. +# SV-204608 control is expected to fail as name servers need to be configured by the service teams. Leaving it as the AMI can be used in different environments, can't hardcode specific server IPs. Or can be given as inputs in the (inspec.yml file) +# SV-255928 control is expected to fail as its not covered in the rhel7 ansible tasks provided by red hat +# SV-204446 control is expected to fail as the file integrity tools (wazuh are configured) and their config is left to service teams, the base AMI just has the installation of the agents. +# Exceptions/Manual Reviews +# SV-204500 control has to be reviewed manually as it expects aide to be file integrity tool, but we use wazuh-manager/wazuh-agent. +# SV-204445 control has to be reviewed manually as it expects aide to be file integrity tool, but we use wazuh-manager/wazuh-agent. +version: "1.0" +waivers: + - control_id: 'SV-204405' + run: false + justification: "This is a AL2 STIG hardened AMI Buildout, pam rules are configured from within the DISA RHEL7 Ansible fix repo." \ No newline at end of file