diff --git a/src/assets/downloads/CliProcessOutput.log b/src/assets/downloads/CliProcessOutput.log new file mode 100644 index 000000000..6ae8e024f --- /dev/null +++ b/src/assets/downloads/CliProcessOutput.log @@ -0,0 +1,1069 @@ +==================== Delta Process ===================== +Date: 2024-11-26T18:06:16.889Z +Process Flags =========================================== +logLevel=info +inspecJsonFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\profile_update4delta.json +xccdfXmlFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\xccdf\SQL_Server_16\U_MS_SQL_Server_2016_Database_V2R8_Manual_STIG\U_MS_SQL_Server_2016_Database_STIG_V2R8_Manual-xccdf.xml +deltaOutputDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\delta_controls +idType=rule +runMapControls=true +controlsDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\controls + + +Mapping controls (using fuzzy logic - lower value = best match) from the old profile to the new profile + +Mapping Process =========================================================================== + New XCCDF Control: SV-213900 +* No Mapping Provided * + +Processing New Control: SV-213901 + New Control Title: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + Best Match Candidate: SV-213764 --> SV-213901 + Matching Score: 0.0508 + +Processing New Control: SV-213902 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213902 + Matching Score: 0.83125 + +Processing New Control: SV-213903 + New Control Title: SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213903 + Matching Score: 0.7890625 + +Processing New Control: SV-213904 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213904 + Matching Score: 0.7890625 + +Processing New Control: SV-213905 + New Control Title: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. + Old Control Title: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. + Best Match Candidate: SV-213766 --> SV-213905 + Matching Score: 0.0131 + +Processing New Control: SV-213906 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213906 + Matching Score: 0.59375 + +Processing New Control: SV-213907 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213907 + Matching Score: 0.49395 + +Processing New Control: SV-213908 + New Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Best Match Candidate: SV-213770 --> SV-213908 + Matching Score: 0.04478571428571428 + +Processing New Control: SV-213909 + New Control Title: The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213909 + Matching Score: 0.49609375 + +Processing New Control: SV-213910 + New Control Title: In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. + Old Control Title: In the event of a system failure, SQL Server must preserve any information necessary to return to operations with least disruption to mission processes. + No Match Found for: SV-213773 --> SV-213910 + Matching Score: 0.6003999999999999 + +Processing New Control: SV-213911 + New Control Title: The Database Master Key encryption password must meet DOD password complexity requirements. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + No Match Found for: SV-213779 --> SV-213911 + Matching Score: 0.7395833333333334 + +Processing New Control: SV-213912 + New Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Best Match Candidate: SV-213779 --> SV-213912 + Matching Score: 0.007050000000000001 + +Processing New Control: SV-213913 + New Control Title: The Certificate used for encryption must be backed up, stored offline and off-site. + Old Control Title: Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key. + No Match Found for: SV-213781 --> SV-213913 + Matching Score: 0.7708333333333334 + +Processing New Control: SV-213914 + New Control Title: SQL Server must isolate security functions from non-security functions. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213914 + Matching Score: 0.78125 + +Processing New Control: SV-213915 + New Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Old Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Best Match Candidate: SV-213775 --> SV-213915 + Matching Score: 0.0131 + +Processing New Control: SV-213916 + New Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Old Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Best Match Candidate: SV-213776 --> SV-213916 + Matching Score: 0.001 + +Processing New Control: SV-213917 + New Control Title: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Old Control Title: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Best Match Candidate: SV-213777 --> SV-213917 + Matching Score: 0.05291666666666667 + +Processing New Control: SV-213918 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Best Match Candidate: SV-213784 --> SV-213918 + Matching Score: 0.0131 + +Processing New Control: SV-213919 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Best Match Candidate: SV-213785 --> SV-213919 + Matching Score: 0.0131 + +Processing New Control: SV-213920 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Best Match Candidate: SV-213786 --> SV-213920 + Matching Score: 0.0131 + +Processing New Control: SV-213921 + New Control Title: SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213921 + Matching Score: 0.6171875 + +Processing New Control: SV-213922 + New Control Title: Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. + Old Control Title: SQL Server must be monitored to discover unauthorized changes to stored procedures. + No Match Found for: SV-213769 --> SV-213922 + Matching Score: 0.8359375 + +Processing New Control: SV-213923 + New Control Title: SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213923 + Matching Score: 0.8125 + +Processing New Control: SV-213924 + New Control Title: SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213924 + Matching Score: 0.796875 + +Processing New Control: SV-213926 + New Control Title: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Best Match Candidate: SV-213788 --> SV-213926 + Matching Score: 0.04334375 + +Processing New Control: SV-213927 + New Control Title: SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Duplicate Match: SV-213788 --> SV-213927 + Matching Score: 0.15120833333333333 + +Processing New Control: SV-251040 + New Control Title: SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-251040 + Matching Score: 0.6484375 + +Mapping Results =========================================================================== + Old Control -> New Control + SV-213764 -> SV-213901 + SV-213766 -> SV-213905 + SV-213770 -> SV-213908 + SV-213779 -> SV-213912 + SV-213775 -> SV-213915 + SV-213776 -> SV-213916 + SV-213777 -> SV-213917 + SV-213784 -> SV-213918 + SV-213785 -> SV-213919 + SV-213786 -> SV-213920 + SV-213788 -> SV-213926 +Total Mapped Controls: 11 + +Control Counts =========================== +Total Controls Available for Delta: 43 + Total Controls Found on XCCDF: 28 + +Match Statistics ========================= + Match Controls: 11 + Possible Mismatch Controls: 0 + Duplicate Match Controls: 1 + No Match Controls: 15 + New XCDDF Controls: 1 + +Statistics Validation ============================================= +Match + Mismatch = Total Mapped Controls: (11+0=11) true + Total Processed = Total XCCDF Controls: (11+0+1+15+1=28) true + + +Updating Controls =========================================================================== +Mapping (From --> To): SV-213764 --> SV-213901 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213764.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb to reference ID SV-213901 + New control name: SV-213901.rb + +Mapping (From --> To): SV-213766 --> SV-213905 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213766.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb to reference ID SV-213905 + New control name: SV-213905.rb + +Mapping (From --> To): SV-213770 --> SV-213908 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213770.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb to reference ID SV-213908 + New control name: SV-213908.rb + +Mapping (From --> To): SV-213779 --> SV-213912 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213779.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb to reference ID SV-213912 + New control name: SV-213912.rb + +Mapping (From --> To): SV-213775 --> SV-213915 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213775.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb to reference ID SV-213915 + New control name: SV-213915.rb + +Mapping (From --> To): SV-213776 --> SV-213916 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213776.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb to reference ID SV-213916 + New control name: SV-213916.rb + +Mapping (From --> To): SV-213777 --> SV-213917 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213777.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb to reference ID SV-213917 + New control name: SV-213917.rb + +Mapping (From --> To): SV-213784 --> SV-213918 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213784.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb to reference ID SV-213918 + New control name: SV-213918.rb + +Mapping (From --> To): SV-213785 --> SV-213919 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213785.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb to reference ID SV-213919 + New control name: SV-213919.rb + +Mapping (From --> To): SV-213786 --> SV-213920 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213786.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb to reference ID SV-213920 + New control name: SV-213920.rb + +Mapping (From --> To): SV-213788 --> SV-213926 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213788.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb to reference ID SV-213926 + New control name: SV-213926.rb + +Update Results =========================================================================== + +## Automatic Update: -> + +### New Controls: ++ SV-213900 - SQL Server databases must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. ++ SV-213902 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. ++ SV-213903 - SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). ++ SV-213904 - SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. ++ SV-213906 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. ++ SV-213907 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. ++ SV-213909 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. ++ SV-213910 - In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. ++ SV-213911 - The Database Master Key encryption password must meet DOD password complexity requirements. ++ SV-213913 - The Certificate used for encryption must be backed up, stored offline and off-site. ++ SV-213914 - SQL Server must isolate security functions from non-security functions. ++ SV-213921 - SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. ++ SV-213922 - Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. ++ SV-213923 - SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. ++ SV-213924 - SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). ++ SV-213927 - SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. ++ SV-251040 - SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-213901: +Old: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +Review the permissions actually in place in the database. + +The database permission functions and views provided in the supplemental file Permissions.sql can help with this. + +If the actual permissions do not match the documented requirements, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +If the database is tempdb, this is NA. + +Review the permissions actually in place in the database. + +If the actual permissions do not match the documented requirements, this is a finding. + +Use the supplemental file "Database permission assignments to users and roles.sql". + +``` +--- +SV-213905: +Old: +``` +If SQL Server Audit is not in use at the database level, this is not applicable (NA). + +Obtain the list of approved audit maintainers from the system documentation. + +Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions: +ALTER ANY DATABASE AUDIT +CONTROL ON DATABASE + +The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions: + SELECT + * + FROM + STIG.database_permissions P + WHERE + (P.[Permission] = 'ALTER ANY DATABASE AUDIT') + OR + (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE') + ; + +To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one: + SELECT * FROM STIG.members_of_database_role(); + +To see all the permissions in effect for a database principal (server role or login): + SELECT * FROM STIG.server_effective_permissions(); + +If designated personnel are not able to configure auditable events, this is a finding. + +If unapproved personnel are able to configure auditable events, this is a finding. + +``` + +Updated: +``` +Obtain the list of approved audit maintainers from the system documentation. + +Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. + +SELECT + R.name AS role_name, + RM.name AS role_member_name, + RM.type_desc +FROM sys.database_principals R +JOIN sys.database_role_members DRM ON + R.principal_id = DRM.role_principal_id +JOIN sys.database_principals RM ON + DRM.member_principal_id = RM.principal_id +WHERE R.type = 'R' + AND R.name = 'db_owner' +ORDER BY + role_member_name + +If any role memberships are not documented and authorized, this is a finding. + + +Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. + +ALTER ANY DATABASE AUDIT +CONTROL + +Use the following query to determine the roles and users that have the listed permissions: + +SELECT + PERM.permission_name, + DP.name AS principal_name, + DP.type_desc AS principal_type, + DBRM.role_member_name +FROM sys.database_permissions PERM +JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id +LEFT OUTER JOIN ( + SELECT + R.principal_id AS role_principal_id, + R.name AS role_name, + RM.name AS role_member_name + FROM sys.database_principals R + JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id + JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id + WHERE R.type = 'R' +) DBRM ON DP.principal_id = DBRM.role_principal_id +WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') +ORDER BY + permission_name, + principal_name, + role_member_name + + +If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. + +``` +--- +SV-213908: +Old: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination: +USE ; +GO +SELECT DISTINCT + S.[Schema/Owner] AS [Owner], + O.[Schema/Owner] AS [Schema], + O.[Securable] +FROM + STIG.database_permissions O + INNER JOIN STIG.database_permissions S + ON S.[Securable] = O.[Schema/Owner] + AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN' + AND S.[Securable Type or Class] = 'SCHEMA' +WHERE + S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... ) + -- Complete the "NOT IN" list with the names of user accounts authorized for ownership. +; +If any of the listed owners is not authorized, this is a finding. + +``` + +Updated: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The following query can be of use in making this determination: + +;with objects_cte as +(SELECT o.name, o.type_desc, + CASE + WHEN o.principal_id is null then s.principal_id + ELSE o.principal_id + END as principal_id + FROM sys.objects o + INNER JOIN sys.schemas s + ON o.schema_id = s.schema_id + WHERE o.is_ms_shipped = 0 +) +SELECT cte.name, cte.type_desc, dp.name as ObjectOwner +FROM objects_cte cte +INNER JOIN sys.database_principals dp +ON cte.principal_id = dp.principal_id +ORDER BY dp.name, cte.name + +If any of the listed owners is not authorized, this is a finding. + +``` +--- +SV-213915: +Old: +``` +Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. + +If there is no documented procedure for data movement from production to development/test, this is a finding. + +If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. + +``` + +Updated: +``` +Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding. + +``` +--- +SV-213918: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding. + +``` +--- +SV-213919: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding. + +``` +--- +SV-213920: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding. + +``` +--- +SV-213926: +Old: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: +In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter. + +If the value displayed is False, this is a finding. + +If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns. + +If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: + +SELECT +DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' +WHEN 1 THEN 'Unencrypted' +WHEN 2 THEN 'Encryption in progress' +WHEN 3 THEN 'Encrypted' +WHEN 4 THEN 'Key change in progress' +WHEN 5 THEN 'Decryption in progress' +WHEN 6 THEN 'Protection change in progress' +END AS [Encryption State] +FROM sys.dm_database_encryption_keys + +For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. + +If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-213905: +Old: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions: +USE ; +GO +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO +(The role name used here is an example; other names may be used.) + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. + +Then, for each authorized database user, run the statement: +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER ; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +New: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): + +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO + +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: + +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +--- +SV-213908: +Old: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code: +USE ; +GO +ALTER SCHEMA TRANSFER .; +GO + +Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +New: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code as an example: + +USE AdventureWorks2012; +GO +ALTER SCHEMA HumanResources TRANSFER Person.Address; +GO + +Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +--- +SV-213915: +Old: +``` +Create and document a process for moving data from production to development/test systems and follow the process. + +Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations. + +``` +New: +``` +Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations. + +``` +--- +SV-213916: +Old: +``` +Use triggers, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +New: +``` +Use parameterized queries, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +--- +SV-213917: +Old: +``` +Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users. + +``` +New: +``` +Adjust database code to remove any information not required for explaining the error to an end user. + +Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. + +Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance. + +``` +--- +SV-213918: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213919: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213920: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213926: +Old: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE". + +Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data". + +``` +New: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. + +Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +``` +--- + + +### Updated Impacts +
+ Click to expand. +SV-213901: +Old: 0.5 +New: 0.7 +--- +SV-213905: +Old: 0 +New: 0.5 +--- +SV-213912: +Old: 0 +New: 0.5 +--- +SV-213918: +Old: 0 +New: 0.5 +--- +SV-213919: +Old: 0 +New: 0.5 +--- +SV-213920: +Old: 0 +New: 0.5 +--- +SV-213926: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-213901: +Old: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. +New: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +--- +SV-213905: +Old: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. +New: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-213917: +Old: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +New: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +--- +SV-213918: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +--- +SV-213919: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +--- +SV-213920: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +--- +SV-213926: +Old: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +New: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-213901: +Old: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +New: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +--- +SV-213905: +Old: +``` +Inspec attributes has specified that SQL Server Audit is not in use at + the database level, this is not applicable (NA) + +``` +New: +``` +Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. + +Suppression of auditing could permit an adversary to evade detection. + +Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-213908: +Old: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +New: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +--- +SV-213912: +Old: +``` +No databases require encryption hence this is not a finding + +``` +New: +``` +When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account. + +``` +--- +SV-213915: +Old: +``` +The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls. + +``` +New: +``` +Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. + +Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls. + +``` +--- +SV-213916: +Old: +``` +Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. + +A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. + +Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. + +``` +--- +SV-213917: +Old: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +``` +--- +SV-213918: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213919: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213920: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213926: +Old: +``` +If the application owner and Authorizing Official have + determined that encryption of data at rest is NOT required, this is not a + finding. + +``` +New: +``` +DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. + +``` +--- +
diff --git a/src/assets/downloads/delta.json b/src/assets/downloads/delta.json new file mode 100644 index 000000000..fe81a5181 --- /dev/null +++ b/src/assets/downloads/delta.json @@ -0,0 +1,1136 @@ +{ + "ignoreFormattingDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213901": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213902": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213903": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213904": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213905": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", + "impact": 0.5, + "descs": {} + }, + "SV-213906": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213907": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213908": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213909": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213910": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213911": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213912": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.", + "impact": 0.5, + "descs": {} + }, + "SV-213914": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213915": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213916": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213917": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213918": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213919": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213920": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213921": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213922": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213923": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213924": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213926": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.", + "impact": 0.5, + "descs": {} + }, + "SV-213927": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-251040": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + } + } + }, + "rawDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nSQL Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together, contain an overall mechanism supporting an organization's automated account management requirements." + } + }, + "SV-213901": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81847" + ], + [ + "-", + "V-67357" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy." + } + }, + "SV-213902": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account.\n\nIf the computer account of a remote computer is granted access to a SQL Server database, any service or scheduled task running as NT AUTHORITY\\SYSTEM or NT AUTHORITY\\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process." + } + }, + "SV-213903": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. \n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring SQL Server's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to SQL Server, even where the application connects to SQL Server with a standard, shared account. \n\nApplications should use temporal tables to track the changes and history of sensitive data." + } + }, + "SV-213904": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nSQL Server provides the ability for high privileged accounts to impersonate users in a database using the TRUSTWORTHY feature. This will allow members of the fixed database role to impersonate any user within the database." + } + }, + "SV-213905": { + "describe__deleted": " if input('server_audit_at_database_level_required')\n impact 0.5\n else\n impact 0.0\n desc 'Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)'\n end\n\n approved_audit_maintainers = input('approved_audit_maintainers')\n\n # The query in check-text is assumes the presence of STIG schema as supplied with\n # the STIG supplemental. The below query ( partially taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n SELECT DPE.PERMISSION_NAME AS 'PERMISSION',\n DPM.NAME AS 'ROLE MEMBER',\n DPR.NAME AS 'ROLE NAME'\n FROM SYS.DATABASE_ROLE_MEMBERS DRM\n JOIN SYS.DATABASE_PERMISSIONS DPE\n ON DRM.ROLE_PRINCIPAL_ID = DPE.GRANTEE_PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPR\n ON DRM.ROLE_PRINCIPAL_ID = DPR.PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPM\n ON DRM.MEMBER_PRINCIPAL_ID = DPM.PRINCIPAL_ID\n WHERE DPE.PERMISSION_NAME IN ( 'CONTROL', 'ALTER ANY DATABASE AUDIT' )\n OR DPM.NAME IN ('db_owner')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'List of approved audit maintainers' do\n subject { sql_session.query(query).column('role member').uniq }\n it { should match_array approved_audit_maintainers }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81851" + ], + [ + "-", + "V-67361" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)", + "__new": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)" + } + }, + "SV-213906": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213907": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213908": { + "describe__deleted": " # The query in check text is assumes the presence of STIG schema as supplied\n # with the STIG supplemental. The below query ( taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n ;WITH OBJECTS_CTE\n AS (SELECT O.NAME,\n O.TYPE_DESC,\n CASE\n WHEN O.PRINCIPAL_ID IS NULL THEN S.PRINCIPAL_ID\n ELSE O.PRINCIPAL_ID\n END AS PRINCIPAL_ID\n FROM SYS.OBJECTS O\n INNER JOIN SYS.SCHEMAS S\n ON O.SCHEMA_ID = S.SCHEMA_ID\n WHERE O.IS_MS_SHIPPED = 0)\n SELECT CTE.NAME,\n CTE.TYPE_DESC,\n DP.NAME AS OBJECTOWNER\n FROM OBJECTS_CTE CTE\n INNER JOIN SYS.DATABASE_PRINCIPALS DP\n ON CTE.PRINCIPAL_ID = DP.PRINCIPAL_ID\n ORDER BY DP.NAME,\n CTE.NAME\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe \"Authorized users for Database: #{input('db_name')}\" do\n subject { sql_session.query(query).column('objectowner').uniq }\n it { should cmp input('authorized_principals') }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81861" + ], + [ + "-", + "V-67371" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed." + } + }, + "SV-213909": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213910": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. In the event of a system failure, SQL Server must be able to bring the database back to a consistent state." + } + }, + "SV-213911": { + "describe__deleted": " query = %{\n SELECT\n COUNT(credential_id) AS count_of_ids\n FROM\n [master].sys.master_key_passwords\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'Count of `Database Master Key passwords` stored in credentials within the database' do\n subject { sql_session.query(query).row(0).column('count_of_ids') }\n its('value') { should cmp 0 }\n end ", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk." + } + }, + "SV-213912": { + "describe__deleted": " query = %(\n SELECT NAME\n FROM [master].sys.databases\n WHERE is_master_key_encrypted_by_server = 1\n AND owner_sid <> 1\n AND state = 0\n AND name = '#{input('db_name')}';\n )\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n results = sql_session.query(query)\n\n if results.empty?\n impact 0.0\n desc 'No databases require encryption hence this is not a finding'\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n For the database #{results.column('name')} verify in the System Security\n Plan that encryption of the Database Master Key using the Service Master Key\n is acceptable and approved by the Information Owner, and the encrypted data\n does not require additional protections to deter or detect DBA access.\n If not approved, this is a finding.\n\n If approved and additional protections are required, then verify the additional\n requirements are in place in accordance with the System Security Plan. These\n may include additional auditing on access of the Database Master Key with\n alerts or other automated monitoring.\n\n If the additional requirements are not in place, this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81871" + ], + [ + "-", + "V-67381" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "No databases require encryption hence this is not a finding", + "__new": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "No databases require encryption hence this is not a finding", + "check": { + "__old": "If no databases require encryption, this is not a finding.\n\nFrom the query prompt:\nSELECT name\nFROM [master].sys.databases\nWHERE is_master_key_encrypted_by_server = 1\nAND owner_sid <> 1\nAND state = 0;\n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)\n\nIf no databases are returned by the query, this is not a finding.\n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.\n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.\n\nIf the additional requirements are not in place, this is a finding.", + "__new": "If no databases require encryption, this is not a finding. \n\nFrom the query prompt: \n\nSELECT name \nFROM [master].sys.databases \nWHERE is_master_key_encrypted_by_server = 1 \nAND owner_sid <> 1 \nAND state = 0; \n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) \n\nIf no databases are returned by the query, this is not a finding. \n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. \n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. \n\nIf the additional requirements are not in place, this is a finding." + }, + "fix": { + "__old": "Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.", + "__new": "Where possible, encrypt the Database Master Key with a password known only to the application administrator.\n\nWhere not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data." + } + } + }, + "SV-213914": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality." + } + }, + "SV-213915": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81879" + ], + [ + "-", + "V-67389" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls." + } + }, + "SV-213916": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81881" + ], + [ + "-", + "V-67391" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.", + "check": { + "__old": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions are not reflective of the data, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.", + "__new": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. \n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding. \n\nIf column/field definitions are not reflective of the data, this is a finding. \n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding. \n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. \n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding." + } + } + }, + "SV-213917": { + "describe__deleted": " # The below query was taken from 2016 MSSQL STIG\n\n query = %{\n DBCC\n TRACESTATUS (3625, -1)\n GO\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'TRACEFLAG 3625' do\n subject { sql_session.query(query).rows[0] }\n its('status') { should cmp 1 }\n its('global') { should cmp 1 }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81887" + ], + [ + "-", + "V-67397" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers." + } + }, + "SV-213918": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81891" + ], + [ + "-", + "V-67401" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213919": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81893" + ], + [ + "-", + "V-67403" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213920": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81895" + ], + [ + "-", + "V-67405" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213921": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control." + } + }, + "SV-213922": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse." + } + }, + "SV-213923": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nSQL Server must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). \n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc." + } + }, + "SV-213924": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications." + } + }, + "SV-213926": { + "describe__deleted": " data_at_rest_encryption_required = input('data_at_rest_encryption_required')\n\n query = %{\n SELECT\n d.name AS [Database Name],\n CASE e.encryption_state\n WHEN 0 THEN 'No database encryption key present, no encryption'\n WHEN 1 THEN 'Unencrypted'\n WHEN 2 THEN 'Encryption in progress'\n WHEN 3 THEN 'Encrypted'\n WHEN 4 THEN 'Key change in progress'\n WHEN 5 THEN 'Decryption in progress'\n WHEN 6 THEN 'Protection change in progress'\n END AS [Encryption State]\n FROM sys.dm_database_encryption_keys e\n RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name\n WHERE d.name IN ('#{input('db_name')}')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n unless data_at_rest_encryption_required\n impact 0.0\n desc 'If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.'\n end\n\n describe \"Database: #{input('db_name')} encryption state\" do\n subject { sql_session.query(query).column('encryption state').uniq }\n it { should cmp 'Encrypted' }\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n If full-disk encryption is required, and Windows or the storage system is not\n configured for this, this is a finding.\n\n If database transparent data encryption (TDE) is called for, check whether it\n is enabled:\n In SQL Server Management Studio, Object Explorer, expand the instance and\n right-click on the database name; select properties. Select the Options page,\n State section, Encryption Enabled parameter.\n\n If the value displayed is False, this is a finding.\n\n If column encryption, done via SQL Server features, is required, review the\n definitions and contents of the relevant tables and columns.\n\n If any of the information defined as requiring cryptographic protection is not\n encrypted in a manner that provides the required level of protection, this is a\n finding.\n\n If table/column encryption and/or a separation between those who own the data\n (and can view it) and those who manage the data (but should have no access) is\n required for PII or similar types of data, use Always Encrypted. The details\n for configuring Always Encrypted are located here:\n https://msdn.microsoft.com/en-us/library/mt163865.aspx.\n\n Review the definitions and contents of the relevant tables/columns for the\n Always Encryption settings, if any of the information defined as requiring\n cryptographic protection is not encrypted this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81899" + ], + [ + "-", + "V-67409" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.", + "__new": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding." + } + }, + "SV-213927": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "SQL Server’s handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + } + }, + "SV-251040": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices." + } + } + } + } +} \ No newline at end of file diff --git a/src/assets/downloads/report.md b/src/assets/downloads/report.md new file mode 100644 index 000000000..a16403227 --- /dev/null +++ b/src/assets/downloads/report.md @@ -0,0 +1,10483 @@ +## Automatic Update: -> + +### New Controls: ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-230262: +Old: +``` +Verify the system-wide shared library files are group-owned by "root" +with the following command: + + $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} +\; + + If any system wide shared library file is returned and is not group-owned +by a required system account, this is a finding. + +``` + +Updated: +``` +Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. + +``` +--- +SV-230379: +Old: +``` +Verify all accounts on the system are assigned to an active system, +application, or user account. + + Obtain the list of authorized system accounts from the Information System +Security Officer (ISSO). + + Check the system accounts on the system with the following command: + + $ sudo more /etc/passwd + + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + games:x:12:100:games:/usr/games:/sbin/nologin + gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as +they do not support authorized system functions. + + If the accounts on the system do not match the provided documentation, or +accounts that do not support an authorized system function are present, this is +a finding. + +``` + +Updated: +``` +Verify that there are no unauthorized interactive user accounts with the following command: + +$ less /etc/passwd + +root:x:0:0:root:/root:/bin/bash +... +games:x:12:100:games:/usr/games:/sbin/nologin +scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash +djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash + +Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. + +Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. + +If there are unauthorized local user accounts on the system, this is a finding. + +``` +--- +SV-230470: +Old: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the +following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement +is not applicable. + + $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + + AuditBackend=LinuxAudit + + If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or +the line is commented out, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + +Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. + +$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + +AuditBackend=LinuxAudit + +If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230524: +Old: +``` +Verify the USBGuard has a policy configured with the following command: + + $ sudo usbguard list-rules + + If the command does not return results or an error is returned, ask the SA +to indicate how unauthorized peripherals are being blocked. + + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the USBGuard has a policy configured with the following command: + +$ sudo usbguard list-rules + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230548: +Old: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. + +``` +--- +SV-230559: +Old: +``` +Verify the gssproxy package has not been installed on the system with the +following commands: + + $ sudo yum list installed gssproxy + + gssproxy.x86_64 +0.8.0-14.el8 @anaconda + + If the gssproxy package is installed and is not documented with the +Information System Security Officer (ISSO) as an operational requirement, this +is a finding. + +``` + +Updated: +``` +Verify the gssproxy package has not been installed on the system with the following commands: + +$ sudo yum list installed gssproxy + +gssproxy.x86_64 0.8.0-14.el8 @anaconda + +If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. + +If NFS mounts are being used, this is not a finding. + +``` +--- +SV-244527: +Old: +``` +Check that RHEL 8 has the packages required to enabled the hardware random +number generator entropy gatherer service with the following command: + + $ sudo yum list installed rng-tools + + rng-tools.x86_64 6.8-3.el8 +@anaconda + + If the "rng-tools" package is not installed, this is a finding. + +``` + +Updated: +``` +Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. + +Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: + +$ sudo yum list installed rng-tools + +rng-tools.x86_64 6.8-3.el8 @anaconda + +If the "rng-tools" package is not installed, this is a finding. + +``` +--- +SV-244547: +Old: +``` +Verify USBGuard is installed on the operating system with the following +command: + + $ sudo yum list installed usbguard + + Installed Packages + usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + + If the USBGuard package is not installed, ask the SA to indicate how +unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify USBGuard is installed on the operating system with the following command: + +$ sudo yum list installed usbguard + +Installed Packages +usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-244548: +Old: +``` +Verify the operating system has enabled the use of the USBGuard with the +following command: + + $ sudo systemctl status usbguard.service + + usbguard.service - USBGuard daemon + Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor +preset: disabled) + Active: active (running) + + If the usbguard.service is not enabled and active, ask the SA to indicate +how unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the operating system has enabled the use of the USBGuard with the following command: + +$ sudo systemctl status usbguard.service + +usbguard.service - USBGuard daemon +Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +Active: active (running) + +If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-257258: +Old: +``` +Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. + +``` + +Updated: +``` +Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. + +Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + +StopIdleSessionSec=600 + +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-230379: +Old: +``` +Configure the system so all accounts on the system are assigned to an +active system, application, or user account. + + Remove accounts that do not support approved system activities or that +allow for a normal user to perform administrative-level actions. + + Document all authorized accounts on the system. + +``` +New: +``` +Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: + +$ sudo userdel + +``` +--- +SV-230548: +Old: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +New: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +--- +SV-257258: +Old: +``` +Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logind + +Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". + +``` +New: +``` +Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=600 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logind + +``` +--- +
+ +### Updated Impacts +
+ Click to expand. +SV-230223: +Old: 0 +New: 0.7 +--- +SV-230224: +Old: 0 +New: 0.5 +--- +SV-230230: +Old: 0 +New: 0.5 +--- +SV-230234: +Old: 0 +New: 0.7 +--- +SV-230235: +Old: 0 +New: 0.7 +--- +SV-230238: +Old: 0 +New: 0.5 +--- +SV-230239: +Old: 0 +New: 0.5 +--- +SV-230244: +Old: 0 +New: 0.5 +--- +SV-230273: +Old: 0 +New: 0.5 +--- +SV-230275: +Old: 0 +New: 0.5 +--- +SV-230285: +Old: 0 +New: 0.3 +--- +SV-230300: +Old: 0 +New: 0.5 +--- +SV-230328: +Old: 0 +New: 0.5 +--- +SV-230329: +Old: 0 +New: 0.7 +--- +SV-230332: +Old: 0 +New: 0.5 +--- +SV-230347: +Old: 0 +New: 0.5 +--- +SV-230351: +Old: 0 +New: 0.5 +--- +SV-230352: +Old: 0 +New: 0.5 +--- +SV-230354: +Old: 0 +New: 0.5 +--- +SV-230376: +Old: 0 +New: 0.5 +--- +SV-230380: +Old: 0 +New: 0.7 +--- +SV-230382: +Old: 0 +New: 0.5 +--- +SV-230385: +Old: 0.7 +New: 0.5 +--- +SV-230493: +Old: 0 +New: 0.5 +--- +SV-230502: +Old: 0 +New: 0.5 +--- +SV-230506: +Old: 0 +New: 0.5 +--- +SV-230507: +Old: 0 +New: 0.5 +--- +SV-230523: +Old: 0 +New: 0.5 +--- +SV-230530: +Old: 0 +New: 0.7 +--- +SV-230535: +Old: 0 +New: 0.5 +--- +SV-230536: +Old: 0 +New: 0.5 +--- +SV-230537: +Old: 0 +New: 0.5 +--- +SV-230538: +Old: 0 +New: 0.5 +--- +SV-230539: +Old: 0 +New: 0.5 +--- +SV-230540: +Old: 0 +New: 0.5 +--- +SV-230541: +Old: 0 +New: 0.5 +--- +SV-230542: +Old: 0 +New: 0.5 +--- +SV-230543: +Old: 0 +New: 0.5 +--- +SV-230544: +Old: 0 +New: 0.5 +--- +SV-230545: +Old: 0 +New: 0.5 +--- +SV-230546: +Old: 0 +New: 0.5 +--- +SV-230547: +Old: 0 +New: 0.5 +--- +SV-230548: +Old: 0 +New: 0.5 +--- +SV-230549: +Old: 0 +New: 0.5 +--- +SV-230550: +Old: 0 +New: 0.5 +--- +SV-230557: +Old: 0 +New: 0.5 +--- +SV-237640: +Old: 0 +New: 0.5 +--- +SV-244519: +Old: 0 +New: 0.5 +--- +SV-244521: +Old: 0 +New: 0.5 +--- +SV-244522: +Old: 0 +New: 0.5 +--- +SV-244530: +Old: 0 +New: 0.5 +--- +SV-244535: +Old: 0 +New: 0.5 +--- +SV-244536: +Old: 0 +New: 0.5 +--- +SV-244538: +Old: 0 +New: 0.5 +--- +SV-244539: +Old: 0 +New: 0.5 +--- +SV-244545: +Old: 0 +New: 0.5 +--- +SV-244546: +Old: 0 +New: 0.5 +--- +SV-244550: +Old: 0 +New: 0.5 +--- +SV-244551: +Old: 0 +New: 0.5 +--- +SV-244552: +Old: 0 +New: 0.5 +--- +SV-244553: +Old: 0 +New: 0.5 +--- +SV-244554: +Old: 0 +New: 0.5 +--- +SV-250315: +Old: 0 +New: 0.5 +--- +SV-250317: +Old: 0 +New: 0.5 +--- +SV-251710: +Old: 0 +New: 0.5 +--- +SV-251711: +Old: 0 +New: 0.5 +--- +SV-251712: +Old: 0 +New: 0.5 +--- +SV-251718: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-230226: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a graphical +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. +--- +SV-230227: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a command line +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. +--- +SV-230229: +Old: RHEL 8, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an +accepted trust anchor. +New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +--- +SV-230230: +Old: RHEL 8, for certificate-based authentication, must enforce authorized +access to the corresponding private key. +New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. +--- +SV-230231: +Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. +New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +--- +SV-230232: +Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing +algorithms for all stored passwords. +New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. +--- +SV-230234: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require authentication upon booting into single-user mode +and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. +--- +SV-230235: +Old: RHEL 8 operating systems booted with a BIOS must require +authentication upon booting into single-user and maintenance modes. +New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. +--- +SV-230236: +Old: RHEL 8 operating systems must require authentication upon booting into +rescue mode. +New: RHEL 8 operating systems must require authentication upon booting into rescue mode. +--- +SV-230237: +Old: The RHEL 8 pam_unix.so module must be configured in the password-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-230238: +Old: RHEL 8 must prevent system daemons from using Kerberos for +authentication. +New: RHEL 8 must prevent system daemons from using Kerberos for authentication. +--- +SV-230240: +Old: RHEL 8 must use a Linux Security Module configured to enforce limits +on system services. +New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. +--- +SV-230243: +Old: A sticky bit must be set on all RHEL 8 public directories to prevent +unauthorized and unintended information transferred via shared system +resources. +New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. +--- +SV-230245: +Old: The RHEL 8 /var/log/messages file must have mode 0640 or less +permissive. +New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. +--- +SV-230252: +Old: The RHEL 8 operating system must implement DoD-approved encryption to +protect the confidentiality of SSH server connections. +New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. +--- +SV-230254: +Old: The RHEL 8 operating system must implement DoD-approved encryption in +the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. +--- +SV-230255: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. +--- +SV-230256: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the GnuTLS package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. +--- +SV-230259: +Old: RHEL 8 system commands must be group-owned by root or a system +account. +New: RHEL 8 system commands must be group-owned by root or a system account. +--- +SV-230263: +Old: The RHEL 8 file integrity tool must notify the system administrator +when changes to the baseline configuration or anomalies in the operation of any +security functions are discovered within an organizationally defined frequency. +New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. +--- +SV-230264: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components from a repository without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230265: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components of local packages without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230267: +Old: RHEL 8 must enable kernel parameters to enforce discretionary access +control on symlinks. +New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. +--- +SV-230271: +Old: RHEL 8 must require users to provide a password for privilege +escalation. +New: RHEL 8 must require users to provide a password for privilege escalation. +--- +SV-230273: +Old: RHEL 8 must have the packages required for multifactor authentication + installed. +New: RHEL 8 must have the packages required for multifactor authentication installed. +--- +SV-230276: +Old: RHEL 8 must implement non-executable data to protect its memory from +unauthorized code execution. +New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. +--- +SV-230277: +Old: RHEL 8 must clear the page allocator to prevent use-after-free +attacks. +New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. +--- +SV-230280: +Old: RHEL 8 must implement address space layout randomization (ASLR) to +protect its memory from unauthorized code execution. +New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. +--- +SV-230281: +Old: YUM must remove all software components after updated versions have +been installed on RHEL 8. +New: YUM must remove all software components after updated versions have been installed on RHEL 8. +--- +SV-230285: +Old: RHEL 8 must enable the hardware random number generator entropy +gatherer service. +New: RHEL 8 must enable the hardware random number generator entropy gatherer service. +--- +SV-230286: +Old: The RHEL 8 SSH public host key files must have mode 0644 or less +permissive. +New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. +--- +SV-230288: +Old: The RHEL 8 SSH daemon must perform strict mode checking of home +directory configuration files. +New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. +--- +SV-230290: +Old: The RHEL 8 SSH daemon must not allow authentication using known host’s +authentication. +New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. +--- +SV-230291: +Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except +to fulfill documented and validated mission requirements. +New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. +--- +SV-230296: +Old: RHEL 8 must not permit direct logons to the root account using remote +access via SSH. +New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. +--- +SV-230299: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that contain user home directories. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. +--- +SV-230300: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. +--- +SV-230302: +Old: RHEL 8 must prevent code from being executed on file systems that +contain user home directories. +New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. +--- +SV-230303: +Old: RHEL 8 must prevent special devices on file systems that are used with +removable media. +New: RHEL 8 must prevent special devices on file systems that are used with removable media. +--- +SV-230304: +Old: RHEL 8 must prevent code from being executed on file systems that are +used with removable media. +New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. +--- +SV-230305: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are used with removable media. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. +--- +SV-230306: +Old: RHEL 8 must prevent code from being executed on file systems that are +imported via Network File System (NFS). +New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230307: +Old: RHEL 8 must prevent special devices on file systems that are imported +via Network File System (NFS). +New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). +--- +SV-230308: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are imported via Network File System (NFS). +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230309: +Old: Local RHEL 8 initialization files must not execute world-writable +programs. +New: Local RHEL 8 initialization files must not execute world-writable programs. +--- +SV-230316: +Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at +least two name servers must be configured. +New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. +--- +SV-230317: +Old: Executable search paths within the initialization files of all local +interactive RHEL 8 users must only contain paths that resolve to the system +default or the users home directory. +New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. +--- +SV-230318: +Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, +or an application user. +New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. +--- +SV-230319: +Old: All RHEL 8 world-writable directories must be group-owned by root, +sys, bin, or an application group. +New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. +--- +SV-230320: +Old: All RHEL 8 local interactive users must have a home directory assigned +in the /etc/passwd file. +New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. +--- +SV-230321: +Old: All RHEL 8 local interactive user home directories must have mode 0750 +or less permissive. +New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. +--- +SV-230322: +Old: All RHEL 8 local interactive user home directories must be group-owned +by the home directory owner’s primary group. +New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. +--- +SV-230323: +Old: All RHEL 8 local interactive user home directories defined in the +/etc/passwd file must exist. +New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. +--- +SV-230324: +Old: All RHEL 8 local interactive user accounts must be assigned a home +directory upon creation. +New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. +--- +SV-230325: +Old: All RHEL 8 local initialization files must have mode 0740 or less +permissive. +New: All RHEL 8 local initialization files must have mode 0740 or less permissive. +--- +SV-230328: +Old: A separate RHEL 8 filesystem must be used for user home directories +(such as /home or an equivalent). +New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). +--- +SV-230329: +Old: Unattended or automatic logon via the RHEL 8 graphical user interface +must not be allowed. +New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. +--- +SV-230331: +Old: RHEL 8 temporary user accounts must be provisioned with an expiration +time of 72 hours or less. +New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. +--- +SV-230332: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230333: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230334: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230335: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230336: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230337: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230340: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230341: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230342: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230343: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230344: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230345: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230346: +Old: RHEL 8 must limit the number of concurrent sessions to ten for all +accounts and/or account types. +New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. +--- +SV-230347: +Old: RHEL 8 must enable a user session lock until that user re-establishes +access using established identification and authentication procedures for +graphical user sessions. +New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. +--- +SV-230351: +Old: RHEL 8 must be able to initiate directly a session lock for all + connection types using smartcard when the smartcard is removed. +New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. +--- +SV-230352: +Old: RHEL 8 must automatically lock graphical user sessions after 15 +minutes of inactivity. +New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. +--- +SV-230354: +Old: RHEL 8 must prevent a user from overriding the session lock-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. +--- +SV-230355: +Old: RHEL 8 must map the authenticated identity to the user or group +account for PKI-based authentication. +New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. +--- +SV-230357: +Old: RHEL 8 must enforce password complexity by requiring that at least one +uppercase character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. +--- +SV-230358: +Old: RHEL 8 must enforce password complexity by requiring that at least one +lower-case character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. +--- +SV-230359: +Old: RHEL 8 must enforce password complexity by requiring that at least one +numeric character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. +--- +SV-230360: +Old: RHEL 8 must require the maximum number of repeating characters of the +same character class be limited to four when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. +--- +SV-230361: +Old: RHEL 8 must require the maximum number of repeating characters be +limited to three when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. +--- +SV-230363: +Old: RHEL 8 must require the change of at least 8 characters when passwords +are changed. +New: RHEL 8 must require the change of at least 8 characters when passwords are changed. +--- +SV-230364: +Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime +restriction in /etc/shadow. +New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. +--- +SV-230366: +Old: RHEL 8 user account passwords must have a 60-day maximum password +lifetime restriction. +New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. +--- +SV-230367: +Old: RHEL 8 user account passwords must be configured so that existing +passwords are restricted to a 60-day maximum lifetime. +New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. +--- +SV-230372: +Old: RHEL 8 must implement smart card logon for multifactor authentication +for access to interactive accounts. +New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. +--- +SV-230373: +Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) + must be disabled after 35 days of inactivity. +New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. +--- +SV-230378: +Old: RHEL 8 must enforce a delay of at least four seconds between logon +prompts following a failed logon attempt. +New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +--- +SV-230380: +Old: RHEL 8 must not allow accounts configured with blank or null +passwords. +New: RHEL 8 must not allow accounts configured with blank or null passwords. +--- +SV-230381: +Old: RHEL 8 must display the date and time of the last successful account +logon upon logon. +New: RHEL 8 must display the date and time of the last successful account logon upon logon. +--- +SV-230382: +Old: RHEL 8 must display the date and time of the last successful account +logon upon an SSH logon. +New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. +--- +SV-230383: +Old: RHEL 8 must define default permissions for all authenticated users in +such a way that the user can only read and modify their own files. +New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. +--- +SV-230384: +Old: RHEL 8 must set the umask value to 077 for all local interactive user +accounts. +New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. +--- +SV-230386: +Old: The RHEL 8 audit system must be configured to audit the execution of +privileged functions and prevent all software from executing at higher +privilege levels than users executing the software. +New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. +--- +SV-230388: +Old: The RHEL 8 System Administrator (SA) and Information System Security +Officer (ISSO) (at a minimum) must be alerted of an audit processing failure +event. +New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. +--- +SV-230389: +Old: The RHEL 8 Information System Security Officer (ISSO) and System +Administrator (SA) (at a minimum) must have mail aliases to be notified of an +audit processing failure. +New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. +--- +SV-230390: +Old: The RHEL 8 System must take appropriate action when an audit +processing failure occurs. +New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. +--- +SV-230392: +Old: The RHEL 8 audit system must take appropriate action when the audit +storage volume is full. +New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. +--- +SV-230394: +Old: RHEL 8 must label all off-loaded audit logs before sending them to the +central log server. +New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. +--- +SV-230396: +Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to +prevent unauthorized read access. +New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. +--- +SV-230397: +Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read +access. +New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. +--- +SV-230398: +Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized +read access. +New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. +--- +SV-230399: +Old: RHEL 8 audit log directory must be owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. +--- +SV-230400: +Old: RHEL 8 audit log directory must be group-owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. +--- +SV-230401: +Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive +to prevent unauthorized read access. +New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. +--- +SV-230402: +Old: RHEL 8 audit system must protect auditing rules from unauthorized +change. +New: RHEL 8 audit system must protect auditing rules from unauthorized change. +--- +SV-230404: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. +--- +SV-230405: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect +/etc/security/opasswd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. +--- +SV-230406: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. +--- +SV-230407: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. +--- +SV-230408: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. +--- +SV-230409: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. +--- +SV-230410: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers.d/. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. +--- +SV-230412: +Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. +--- +SV-230418: +Old: Successful/unsuccessful uses of the chage command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. +--- +SV-230419: +Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. +--- +SV-230421: +Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. +--- +SV-230422: +Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. +--- +SV-230423: +Old: Successful/unsuccessful uses of the mount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. +--- +SV-230424: +Old: Successful/unsuccessful uses of the umount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. +--- +SV-230425: +Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. +--- +SV-230426: +Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. +--- +SV-230427: +Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. +--- +SV-230428: +Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. +--- +SV-230429: +Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. +--- +SV-230430: +Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. +--- +SV-230431: +Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. +--- +SV-230432: +Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. +--- +SV-230433: +Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. +--- +SV-230434: +Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. +--- +SV-230435: +Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. +--- +SV-230436: +Old: Successful/unsuccessful uses of the pam_timestamp_check command in +RHEL 8 must generate an audit record. +New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. +--- +SV-230437: +Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. +--- +SV-230444: +Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. +--- +SV-230446: +Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. +--- +SV-230447: +Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. +--- +SV-230448: +Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. +--- +SV-230462: +Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. +--- +SV-230463: +Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. +--- +SV-230464: +Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. +--- +SV-230465: +Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. +--- +SV-230466: +Old: Successful/unsuccessful modifications to the faillock log file in RHEL +8 must generate an audit record. +New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. +--- +SV-230467: +Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. +--- +SV-230468: +Old: RHEL 8 must enable auditing of processes that start prior to the audit +daemon. +New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. +--- +SV-230469: +Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to +capture processes that start prior to the audit daemon. +New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. +--- +SV-230471: +Old: RHEL 8 must allow only the Information System Security Manager (ISSM) +(or individuals or roles appointed by the ISSM) to select which auditable +events are to be audited. +New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-230475: +Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of +audit tools. +New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. +--- +SV-230476: +Old: RHEL 8 must allocate audit record storage capacity to store at least +one week of audit records, when audit records are not immediately sent to a +central audit record storage facility. +New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. +--- +SV-230477: +Old: RHEL 8 must have the packages required for offloading audit logs +installed. +New: RHEL 8 must have the packages required for offloading audit logs installed. +--- +SV-230478: +Old: RHEL 8 must have the packages required for encrypting offloaded audit +logs installed. +New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. +--- +SV-230479: +Old: The RHEL 8 audit records must be off-loaded onto a different system or +storage media from the system being audited. +New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. +--- +SV-230480: +Old: RHEL 8 must take appropriate action when the internal event queue is +full. +New: RHEL 8 must take appropriate action when the internal event queue is full. +--- +SV-230481: +Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a +different system or media from the system being audited. +New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. +--- +SV-230482: +Old: RHEL 8 must authenticate the remote logging server for off-loading +audit logs. +New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. +--- +SV-230483: +Old: RHEL 8 must take action when allocated audit record storage volume + reaches 75 percent of the repository maximum audit record storage capacity. +New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +--- +SV-230484: +Old: RHEL 8 must securely compare internal information system clocks at +least every 24 hours with a server synchronized to an authoritative time +source, such as the United States Naval Observatory (USNO) time servers, or a +time server designated for the appropriate DoD network (NIPRNet/SIPRNet), +and/or the Global Positioning System (GPS). +New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). +--- +SV-230491: +Old: RHEL 8 must enable mitigations against processor-based +vulnerabilities. +New: RHEL 8 must enable mitigations against processor-based vulnerabilities. +--- +SV-230493: +Old: RHEL 8 must cover or disable the built-in or attached camera when not +in use. +New: RHEL 8 must cover or disable the built-in or attached camera when not in use. +--- +SV-230497: +Old: RHEL 8 must disable the transparent inter-process communication (TIPC) +protocol. +New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. +--- +SV-230500: +Old: RHEL 8 must be configured to prohibit or restrict the use of +functions, ports, protocols, and/or services, as defined in the Ports, +Protocols, and Services Management (PPSM) Category Assignments List (CAL) and +vulnerability assessments. +New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +--- +SV-230504: +Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy +for allowing connections to other systems. +New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. +--- +SV-230524: +Old: RHEL 8 must block unauthorized peripherals before establishing a +connection. +New: RHEL 8 must block unauthorized peripherals before establishing a connection. +--- +SV-230525: +Old: A firewall must be able to protect against or limit the effects of +Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting +measures on impacted network interfaces. +New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. +--- +SV-230526: +Old: All RHEL 8 networked systems must have and implement SSH to protect +the confidentiality and integrity of transmitted and received information, as +well as information during preparation for transmission. +New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. +--- +SV-230527: +Old: RHEL 8 must force a frequent session key renegotiation for SSH +connections to the server. +New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. +--- +SV-230530: +Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a +graphical user interface is installed. +New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. +--- +SV-230531: +Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be +disabled. +New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. +--- +SV-230533: +Old: The Trivial File Transfer Protocol (TFTP) server package must not be +installed if not required for RHEL 8 operational support. +New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. +--- +SV-230534: +Old: The root account must be the only account having unrestricted access +to the RHEL 8 system. +New: The root account must be the only account having unrestricted access to the RHEL 8 system. +--- +SV-230535: +Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-230536: +Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) +redirects. +New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. +--- +SV-230537: +Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) +echoes sent to a broadcast address. +New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. +--- +SV-230542: +Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by +default. +New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. +--- +SV-230543: +Old: RHEL 8 must not allow interfaces to perform Internet Control Message +Protocol (ICMP) redirects by default. +New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. +--- +SV-230544: +Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) +redirect messages. +New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. +--- +SV-230545: +Old: RHEL 8 must disable access to network bpf syscall from unprivileged +processes. +New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. +--- +SV-230551: +Old: The RHEL 8 file integrity tool must be configured to verify extended +attributes. +New: The RHEL 8 file integrity tool must be configured to verify extended attributes. +--- +SV-230552: +Old: The RHEL 8 file integrity tool must be configured to verify Access +Control Lists (ACLs). +New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). +--- +SV-230553: +Old: The graphical display manager must not be installed on RHEL 8 unless +approved. +New: The graphical display manager must not be installed on RHEL 8 unless approved. +--- +SV-230555: +Old: RHEL 8 remote X connections for interactive users must be disabled +unless to fulfill documented and validated mission requirements. +New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. +--- +SV-230556: +Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the +proxy display. +New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. +--- +SV-230557: +Old: If the Trivial File Transfer Protocol (TFTP) server is required, the +RHEL 8 TFTP daemon must be configured to operate in secure mode. +New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. +--- +SV-230558: +Old: A File Transfer Protocol (FTP) server package must not be installed +unless mission essential on RHEL 8. +New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. +--- +SV-230559: +Old: The gssproxy package must not be installed unless mission essential on +RHEL 8. +New: The gssproxy package must not be installed unless mission essential on RHEL 8. +--- +SV-230560: +Old: The iprutils package must not be installed unless mission essential on +RHEL 8. +New: The iprutils package must not be installed unless mission essential on RHEL 8. +--- +SV-230561: +Old: The tuned package must not be installed unless mission essential on +RHEL 8. +New: The tuned package must not be installed unless mission essential on RHEL 8. +--- +SV-237642: +Old: RHEL 8 must use the invoking user's password for privilege escalation +when using "sudo". +New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". +--- +SV-244519: +Old: RHEL 8 must display a banner before granting local or remote access to +the system via a graphical user logon. +New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. +--- +SV-244521: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require a unique superusers name upon booting into +single-user mode and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. +--- +SV-244523: +Old: RHEL 8 operating systems must require authentication upon booting into +emergency mode. +New: RHEL 8 operating systems must require authentication upon booting into emergency mode. +--- +SV-244524: +Old: The RHEL 8 pam_unix.so module must be configured in the system-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-244527: +Old: RHEL 8 must have the packages required to use the hardware random +number generator entropy gatherer service. +New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. +--- +SV-244530: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot/efi directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. +--- +SV-244531: +Old: All RHEL 8 local interactive user home directory files must have mode +0750 or less permissive. +New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. +--- +SV-244532: +Old: RHEL 8 must be configured so that all files and directories contained +in local interactive user home directories are group-owned by a group of which +the home directory owner is a member. +New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. +--- +SV-244533: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/system-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. +--- +SV-244534: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/password-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. +--- +SV-244535: +Old: RHEL 8 must initiate a session lock for graphical user interfaces when +the screensaver is activated. +New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. +--- +SV-244536: +Old: RHEL 8 must disable the user list at logon for graphical user +interfaces. +New: RHEL 8 must disable the user list at logon for graphical user interfaces. +--- +SV-244538: +Old: RHEL 8 must prevent a user from overriding the session idle-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. +--- +SV-244539: +Old: RHEL 8 must prevent a user from overriding the screensaver +lock-enabled setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +--- +SV-244541: +Old: RHEL 8 must not allow blank or null passwords in the password-auth +file. +New: RHEL 8 must not allow blank or null passwords in the password-auth file. +--- +SV-244542: +Old: RHEL 8 audit records must contain information to establish what type +of events occurred, the source of events, where events occurred, and the +outcome of events. +New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. +--- +SV-244543: +Old: RHEL 8 must notify the System Administrator (SA) and Information +System Security Officer (ISSO) (at a minimum) when allocated audit record +storage volume 75 percent utilization. +New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. +--- +SV-244546: +Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, +permit-by-exception policy to allow the execution of authorized software +programs. +New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +--- +SV-244550: +Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-244554: +Old: RHEL 8 must enable hardening for the Berkeley Packet Filter +Just-in-time compiler. +New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. +--- +SV-250315: +Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context + type to allow the use of a non-default faillock tally directory. +New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. +--- +SV-257258: +Old: RHEL 8 must terminate idle user sessions. +New: RHEL 8.7 and higher must terminate idle user sessions. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-230221: +Old: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + + Note: The life-cycle time spans and dates are subject to adjustment. + +``` +New: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + +``` +--- +SV-230222: +Old: +``` +Timely patching is critical for maintaining the operational + availability, confidentiality, and integrity of information technology (IT) + systems. However, failure to keep operating system and application software + patched is a common mistake made by IT professionals. New patches are released + daily, and it is often difficult for even experienced System Administrators to + keep abreast of all the new patches. When new weaknesses in an operating system + exist, patches are usually made available by the vendor to resolve the + problems. If the most recent security patches and updates are not installed, + unauthorized users may take advantage of weaknesses in the unpatched software. + The lack of prompt attention to patching could result in a system compromise. + +``` +New: +``` +Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + +``` +--- +SV-230223: +Old: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +``` +New: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + + + +``` +--- +SV-230224: +Old: +``` +RHEL 8 systems handling data requiring "data at rest" protections + must employ cryptographic mechanisms to prevent unauthorized disclosure and + modification of the information at rest. + + Selection of a cryptographic mechanism is based on the need to protect the +integrity of organizational information. The strength of the mechanism is +commensurate with the security category and/or classification of the +information. Organizations have the flexibility to either encrypt all +information on storage devices (i.e., full disk encryption) or encrypt specific +data structures (e.g., files, records, or fields). + +``` +New: +``` +RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + + + +``` +--- +SV-230225: +Old: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + +``` +--- +SV-230226: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230227: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230229: +Old: +``` +Without path validation, an informed trust decision by the relying +party cannot be made when presented with any certificate not already explicitly +trusted. + + A trust anchor is an authoritative entity represented via a public key and +associated data. It is used in the context of public key infrastructures, X.509 +digital certificates, and DNSSEC. + + When there is a chain of trust, usually the top entity to be trusted +becomes the trust anchor; it can be, for example, a Certification Authority +(CA). A certification path starts with the subject certificate and proceeds +through a number of intermediate certificates up to a trusted root certificate, +typically issued by a trusted CA. + + This requirement verifies that a certification path to an accepted trust +anchor is used for certificate validation and that the path includes status +information. Path validation is necessary for a relying party to make an +informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes +certificate revocation lists or online certificate status protocol responses. +Validation of the certificate status information is out of scope for this +requirement. + +``` +New: +``` +Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + + + +``` +--- +SV-230230: +Old: +``` +If an unauthorized user obtains access to a private key without a +passcode, that user would have unauthorized access to any system where the +associated public key has been installed. + +``` +New: +``` +If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + +``` +--- +SV-230231: +Old: +``` +Passwords need to be protected at all times, and encryption is the +standard method for protecting passwords. If passwords are not encrypted, they +can be plainly read (i.e., clear text) and easily compromised. + + Unapproved mechanisms that are used for authentication to the cryptographic +module are not verified and therefore cannot be relied upon to provide +confidentiality or integrity, and DoD data may be compromised. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD requirements. + +``` +New: +``` +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. + +``` +--- +SV-230232: +Old: +``` +The system must use a strong hashing algorithm to store the password. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230233: +Old: +``` +The system must use a strong hashing algorithm to store the password. +The system must use a sufficient number of hashing rounds to ensure the +required level of entropy. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230234: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230235: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230236: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-230237: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230238: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + The key derivation function (KDF) in Kerberos is not FIPS compatible. +Ensuring the system does not have any keytab files present prevents system +daemons from using Kerberos for authentication. A keytab is a file containing +pairs of Kerberos principals and encrypted keys. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230239: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230240: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230241: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + Policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include +load_policy to load SELinux policies, setfile to label filesystems, newrole to +switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +--- +SV-230243: +Old: +``` +Preventing unauthorized information transfers mitigates the risk of +information, including encrypted representations of information, produced by +the actions of prior users/roles (or the actions of processes acting on behalf +of prior users/roles) from being available to any current users/roles (or +current processes) that obtain access to shared system resources (e.g., +registers, main memory, hard disks) after those resources have been released +back to information systems. The control of information in shared resources is +also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information +technology product, but it can also apply to the configuration of particular +information system components that are, or use, such products. This can be +verified by acceptance/validation processes in DoD or other government agencies. + + There may be shared resources with configurable protections (e.g., files in +storage) that may be assessed on specific information system components. + +``` +New: +``` +Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +``` +--- +SV-230244: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + + RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-230245: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230246: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230247: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230248: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230249: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230250: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230251: +Old: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230252: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + + The system will attempt to use the first hash presented by the client that +matches the server list. Listing the values "strongest to weakest" is a +method to ensure the use of the strongest hash available to secure the SSH +connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230253: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not +use high-entropy sources by default. By using the SSH_USE_STRONG_RNG +environment variable the OPENSSL random generator is reseeded from /dev/random. + This setting is not recommended on computers without the hardware random +generator because insufficient entropy causes the connection to be blocked +until enough entropy is available. + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. + +``` +--- +SV-230254: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230255: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230256: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Transport Layer Security (TLS) encryption is a required security setting as +a number of known vulnerabilities have been reported against Secure Sockets +Layer (SSL) and earlier versions of TLS. Encryption of private information is +essential to ensuring data confidentiality. If private information is not +encrypted, it can be intercepted and easily read by an unauthorized party. SQL +Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all +non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 +specifies the preferred configurations for government systems. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + The GnuTLS library offers an API to access secure communications protocols. + SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto +policy defines employed algorithms in the +/etc/crypto-policies/back-ends/gnutls.config file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. + + + +``` +--- +SV-230257: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230258: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230259: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230260: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230261: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230262: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230263: +Old: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + +``` +New: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + + + +``` +--- +SV-230264: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230265: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230267: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230268: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + + By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230271: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230272: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230273: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + A privileged account is defined as an information system account with + authorizations of a privileged user. + + Remote access is access to DoD nonpublic information systems by an + authorized user (or an information system) communicating through an external, + non-organization-controlled network. Remote access methods include, for + example, dial-up, broadband, and wireless. + + This requirement only applies to components where this is specific to the + function of the device or has the concept of an organizational user (e.g., VPN, + proxy capability). This does not apply to authentication for the purpose of + configuring the device itself (management). + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +``` +--- +SV-230274: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + RHEL 8 includes multiple options for configuring certificate status +checking, but for this requirement focuses on the System Security Services +Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol +(OCSP) checking and certificate verification using a sha256 digest function. + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + + + +``` +--- +SV-230275: +Old: +``` +The use of PIV credentials facilitates standardization and reduces the + risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support + identity management and personal authentication for systems covered under + Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a + primary component of layered protection for national security systems. + +``` +New: +``` +The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +``` +--- +SV-230276: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + +``` +--- +SV-230277: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. This prevents many types of use-after-free +vulnerabilities at little performance cost. Also prevents leak of data and +detection of corrupted memory. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + + + +``` +--- +SV-230278: +Old: +``` +Syscalls are special routines in the Linux kernel, which userspace +applications ask to do privileged tasks. Invoking a system call is an +expensive operation because the processor must interrupt the currently +executing task and switch context to kernel mode and then back to userspace +after the system call completes. Virtual Syscalls map into user space a page +that contains some variables and the implementation of some system calls. This +allows the system calls to be executed in userspace to alleviate the context +switching expense. + + Virtual Syscalls provide an opportunity of attack for a user who has +control of the return instruction pointer. Disabling vsyscalls help to prevent +return oriented programming (ROP) attacks via buffer overflows and overruns. If +the system intends to run containers based on RHEL 6 components, then virtual +syscalls will need enabled so the components function properly. + +``` +New: +``` +Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + + + +``` +--- +SV-230279: +Old: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + + + +``` +--- +SV-230281: +Old: +``` +Previous versions of software components that are not removed from the +information system after updates have been installed may be exploited by +adversaries. Some information technology products may remove older versions of +software automatically from the information system. + +``` +New: +``` +Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. + +``` +--- +SV-230282: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230283: +Old: +``` +The "shosts.equiv" files are used to configure host-based +authentication for the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230284: +Old: +``` +The ".shosts" files are used to configure host-based authentication +for individual users or the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230285: +Old: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-230286: +Old: +``` +If a public host key file is modified by an unauthorized user, the SSH +service may be compromised. + +``` +New: +``` +If a public host key file is modified by an unauthorized user, the SSH service may be compromised. + +``` +--- +SV-230287: +Old: +``` +If an unauthorized user obtains the private SSH host key file, the +host could be impersonated. + +``` +New: +``` +If an unauthorized user obtains the private SSH host key file, the host could be impersonated. + +``` +--- +SV-230288: +Old: +``` +If other users have access to modify user-specific SSH configuration +files, they may be able to log on to the system as another user. + +``` +New: +``` +If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. + +``` +--- +SV-230290: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230291: +Old: +``` +Configuring these settings for the SSH daemon provides additional +assurance that remote logon via SSH will not use unused methods of +authentication, even in the event of misconfiguration elsewhere. + +``` +New: +``` +Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230292: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230293: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230294: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230295: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230296: +Old: +``` +Even though the communications channel may be encrypted, an additional +layer of security is gained by extending the policy of not logging on directly +as root. In addition, logging on with a user-specific account provides +individual accountability of actions performed on the system. + +``` +New: +``` +Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. + +``` +--- +SV-230298: +Old: +``` +Configuring RHEL 8 to implement organization-wide security +implementation guides and security checklists ensures compliance with federal +standards and establishes a common security baseline across the DoD that +reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry +settings; account, file, directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230299: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230300: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230301: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. The only legitimate +location for device files is the /dev directory located on the root partition. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. + +``` +--- +SV-230302: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230303: +Old: +``` +The "nodev" mount option causes the system not to interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230304: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230305: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230306: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary as they may be incompatible. Executing files from untrusted +file systems increases the opportunity for unprivileged users to attain +unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230307: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230308: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230309: +Old: +``` +If user start-up files execute world-writable programs, especially in +unprotected directories, they could be maliciously modified to destroy user +files or otherwise compromise the system at the user level. If the system is +compromised at the user level, it is easier to elevate privileges to eventually +compromise the system at the root and network level. + +``` +New: +``` +If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. + +``` +--- +SV-230310: +Old: +``` +Kernel core dumps may contain the full contents of system memory at +the time of the crash. Kernel core dumps may consume a considerable amount of +disk space and may result in denial of service by exhausting the available +space on the target file system partition. + + RHEL 8 installation media presents the option to enable or disable the +kdump service at the time of system installation. + +``` +New: +``` +Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. + +RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. + +``` +--- +SV-230312: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + + When the kernel invokes systemd-coredumpt to handle a core dump, it runs in +privileged mode, and will connect to the socket created by the +systemd-coredump.socket unit. This, in turn, will spawn an unprivileged +systemd-coredump@.service instance to process the core dump. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. + +``` +--- +SV-230313: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230314: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230315: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230316: +Old: +``` +To provide availability for name resolution services, multiple +redundant name servers are mandated. A failure in name resolution could lead to +the failure of security functions requiring name resolution, which may include +time synchronization, centralized authentication, and remote system logging. + +``` +New: +``` +To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. + +``` +--- +SV-230317: +Old: +``` +The executable search path (typically the PATH environment variable) +contains a list of directories for the shell to search to find executables. If +this path includes the current working directory (other than the user's home +directory), executables in these directories may be executed instead of system +commands. This variable is formatted as a colon-separated list of directories. +If there is an empty entry, such as a leading or trailing colon or two +consecutive colons, this is interpreted as the current working directory. If +deviations from the default system search path for the local interactive user +are required, they must be documented with the Information System Security +Officer (ISSO). + +``` +New: +``` +The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). + +``` +--- +SV-230318: +Old: +``` +If a world-writable directory is not owned by root, sys, bin, or an +application User Identifier (UID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230319: +Old: +``` +If a world-writable directory is not group-owned by root, sys, bin, or +an application Group Identifier (GID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230320: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230321: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-230322: +Old: +``` +If the Group Identifier (GID) of a local interactive user’s home +directory is not the same as the primary GID of the user, this would allow +unauthorized access to the user’s files, and users that share the same group +may not be able to access files that they legitimately should. + +``` +New: +``` +If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. + +``` +--- +SV-230323: +Old: +``` +If a local interactive user has a home directory defined that does not +exist, the user may be given access to the "/" directory as the current +working directory upon logon. This could create a denial of service because the +user would not be able to access their logon configuration files, and it may +give them visibility to system files they normally would not be able to access. + +``` +New: +``` +If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. + +``` +--- +SV-230324: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230325: +Old: +``` +Local initialization files are used to configure the user's shell +environment upon logon. Malicious modification of these files could compromise +accounts upon logon. + +``` +New: +``` +Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. + +``` +--- +SV-230326: +Old: +``` +Unowned files and directories may be unintentionally inherited if a +user is assigned the same User Identifier "UID" as the UID of the un-owned +files. + +``` +New: +``` +Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. + +``` +--- +SV-230327: +Old: +``` +Files without a valid group owner may be unintentionally inherited if +a group is assigned the same Group Identifier (GID) as the GID of the files +without a valid group owner. + +``` +New: +``` +Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. + +``` +--- +SV-230328: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230329: +Old: +``` +Failure to restrict system access to authenticated users negatively +impacts operating system security. + +``` +New: +``` +Failure to restrict system access to authenticated users negatively impacts operating system security. + +``` +--- +SV-230330: +Old: +``` +SSH environment options potentially allow users to bypass access +restriction in some configurations. + +``` +New: +``` +SSH environment options potentially allow users to bypass access restriction in some configurations. + +``` +--- +SV-230331: +Old: +``` +If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. To +mitigate this risk, automated termination of all temporary accounts must be set +upon account creation. + + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts without the demand for +immediacy in account activation. + + If temporary accounts are used, RHEL 8 must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + + To address access requirements, many RHEL 8 operating systems may be +integrated with enterprise-level authentication/access mechanisms that meet or +exceed access control policy requirements. + +``` +New: +``` +If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. + +``` +--- +SV-230332: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230333: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230334: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230335: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230336: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230337: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230338: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230339: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230340: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230341: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230342: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230343: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230344: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230345: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230346: +Old: +``` +Operating system management includes the ability to control the number +of users and user sessions that utilize an operating system. Limiting the +number of allowed users and sessions per user is helpful in reducing the risks +related to DoS attacks. + + This requirement addresses concurrent sessions for information system +accounts and does not address concurrent sessions by single users via multiple +system accounts. The maximum number of concurrent sessions should be defined +based on mission needs and the operational environment for each system. + +``` +New: +``` +Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +``` +--- +SV-230347: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. + + Regardless of where the session lock is determined and implemented, once +invoked, the session lock must remain in place until the user reauthenticates. +No other activity aside from reauthentication must unlock the system. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. + + + +``` +--- +SV-230351: +Old: +``` +A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but + does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be + determined. Rather than be forced to wait for a period of time to expire before + the user session can be locked, RHEL 8 needs to provide users with the ability + to manually invoke a session lock so users can secure their session if it is + necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230352: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. Rather than be forced to wait for a period of time to expire before +the user session can be locked, RHEL 8 needs to provide users with the ability +to manually invoke a session lock so users can secure their session if it is +necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230354: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-230355: +Old: +``` +Without mapping the certificate used to authenticate to the user +account, the ability to determine the identity of the individual user or group +will not be available for forensic analysis. + + There are various methods of mapping certificates to user/group accounts +for RHEL 8. For the purposes of this requirement, the check and fix will +account for Active Directory mapping. Some of the other possible methods +include joining the system to a domain and utilizing a Red Hat idM server, or a +local system mapping, where the system is not part of a domain. + +``` +New: +``` +Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. + +``` +--- +SV-230357: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require uppercase characters, without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230358: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require lower-case characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230359: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that in order to require numeric characters, without degrading +the minlen value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230360: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxclassrepeat" option sets the maximum number of allowed +same consecutive characters in the same class in the new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + +``` +--- +SV-230361: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxrepeat" option sets the maximum number of allowed same +consecutive characters in a new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. + +``` +--- +SV-230362: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "minclass" option sets the minimum number of required classes +of characters for the new password (digits, uppercase, lowercase, others). + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). + +``` +--- +SV-230363: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "difok" option sets the number of characters in a password +that must not be present in the old password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. + +``` +--- +SV-230364: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230365: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230366: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230367: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230369: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Configurations are set in the "etc/security/pwquality.conf" file. + + The "minlen", sometimes noted as minimum length, acts as a "score" of +complexity based on the credit components of the "pwquality" module. By +setting the credit components to a negative value, not only will those +components be required, they will not count towards the total "score" of +"minlen". This will enable "minlen" to require a 15-character minimum. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + +The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230370: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230371: +Old: +``` +To ensure accountability and prevent unauthenticated access, +interactive users must be identified and authenticated to prevent potential +misuse and compromise of the system. + + Interactive users include organizational employees or individuals the +organization deems to have equivalent status of employees (e.g., contractors). +Interactive users (and processes acting on behalf of users) must be uniquely +identified and authenticated to all accesses, except for the following: + + 1) Accesses explicitly identified and documented by the organization. +Organizations document specific user actions that can be performed on the +information system without identification or authentication; and + + 2) Accesses that occur through authorized use of group authenticators +without individual authentication. Organizations may require unique +identification of individuals in group accounts (e.g., shared privilege +accounts) or for detailed accountability of individual activity. + +``` +New: +``` +To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + + + +``` +--- +SV-230372: +Old: +``` +Using an authentication device, such as a Common Access Card (CAC) or +token that is separate from the information system, ensures that even if the +information system is compromised, that compromise will not affect credentials +stored on the authentication device. + + Multifactor solutions that require devices separate from information +systems gaining access include, for example, hardware tokens providing +time-based or challenge-response authenticators and smart cards such as the +U.S. Government Personal Identity Verification card and the DoD CAC. + + There are various methods of implementing multifactor authentication for +RHEL 8. Some methods include a local system multifactor account mapping or +joining the system to a domain and utilizing a Red Hat idM server or Microsoft +Windows Active Directory server. Any of these methods will require that the +client operating system handle the multifactor authentication correctly. + +``` +New: +``` +Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. + +There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. + + + +``` +--- +SV-230373: +Old: +``` +Inactive identifiers pose a risk to systems and applications because + attackers may exploit an inactive identifier and potentially obtain undetected + access to the system. Owners of inactive accounts will not notice if + unauthorized access to their user account has been obtained. + + RHEL 8 needs to track periods of inactivity and disable application + identifiers after 35 days of inactivity. + +``` +New: +``` +Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +``` +--- +SV-230374: +Old: +``` +Temporary accounts are privileged or nonprivileged accounts that are + established during pressing circumstances, such as new software or hardware + configuration or an incident response, where the need for prompt account + activation requires bypassing normal account authorization procedures. + + If any inactive temporary accounts are left enabled on the system and are + not either manually removed or automatically expired within 72 hours, the + security posture of the system will be degraded and exposed to exploitation + by unauthorized users or insider threat actors. + + Temporary accounts are different from emergency accounts. Emergency accounts, + also known as "last resort" or "break glass" accounts, are local logon accounts + enabled on the system for emergency use by authorized system administrators + to manage a system when standard logon methods are failing or not available. + + Emergency accounts are not subject to manual removal or scheduled expiration + requirements. + + The automatic expiration of temporary accounts may be extended as needed by + the circumstances but it must not be extended indefinitely. A documented + permanent account should be established for privileged users who need long-term + maintenance accounts. + +``` +New: +``` +Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. + +``` +--- +SV-230375: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that to require special characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230376: +Old: +``` +If cached authentication information is out-of-date, the validity of +the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this +requirement will be focus on the System Security Services Daemon (SSSD). By +default sssd does not cache credentials. + +``` +New: +``` +If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. + +``` +--- +SV-230377: +Old: +``` +If RHEL 8 allows the user to select passwords based on dictionary +words, this increases the chances of password compromise by increasing the +opportunity for successful guesses, and brute-force attacks. + +``` +New: +``` +If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +``` +--- +SV-230378: +Old: +``` +Configuring the operating system to implement organization-wide +security implementation guides and security checklists verifies compliance with +federal standards and establishes a common security baseline across the DoD +that reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example, registry +settings; account, file, and directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230379: +Old: +``` +Accounts providing no operational purpose provide additional +opportunities for system compromise. Unnecessary accounts include user accounts +for individuals not requiring access to the system and application accounts for +applications not installed on the system. + +``` +New: +``` +Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. + +``` +--- +SV-230380: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-230381: +Old: +``` +Providing users with feedback on when account accesses last occurred +facilitates user recognition and reporting of unauthorized account use. + +``` +New: +``` +Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230382: +Old: +``` +Providing users with feedback on when account accesses via SSH last +occurred facilitates user recognition and reporting of unauthorized account +use. + +``` +New: +``` +Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230383: +Old: +``` +Setting the most restrictive default permissions ensures that when new +accounts are created, they do not have unnecessary access. + +``` +New: +``` +Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +``` +--- +SV-230384: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230385: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230386: +Old: +``` +Misuse of privileged functions, either intentionally or +unintentionally by authorized users, or by unauthorized external entities that +have compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use of +privileged functions is one way to detect such misuse and identify the risk +from insider threats and the advanced persistent threat. + +``` +New: +``` +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + + + +``` +--- +SV-230387: +Old: +``` +Cron logging can be used to trace the successful or unsuccessful +execution of cron jobs. It can also be used to spot intrusions into the use of +the cron facility by unauthorized and malicious users. + +``` +New: +``` +Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. + +``` +--- +SV-230388: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230389: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230390: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230392: +Old: +``` +It is critical that when RHEL 8 is at risk of failing to process audit +logs as required, it takes action to mitigate the failure. Audit processing +failures include software/hardware errors; failures in the audit capturing +mechanisms; and audit storage capacity being reached or exceeded. Responses to +audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, +RHEL 8 must continue generating audit records if possible (automatically +restarting the audit service if necessary) and overwriting the oldest audit +records in a first-in-first-out manner. + + 2) If audit records are sent to a centralized collection server and +communication with this server is lost or the server fails, RHEL 8 must queue +audit records locally until communication is restored or until the audit +records are retrieved manually. Upon restoration of the connection to the +centralized collection server, action should be taken to synchronize the local +audit data with the collection server. + +``` +New: +``` +It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. + +``` +--- +SV-230393: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +``` +--- +SV-230394: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging is needed to determine who, what, and when events occur on +a system. Without this, determining root cause of an event will be much more +difficult. + + When audit logs are not labeled before they are sent to a central log +server, the audit data will not be able to be analyzed and tied back to the +correct system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. + +``` +--- +SV-230395: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging aids in making sense of who, what, and when events occur +on a system. Without this, determining root cause of an event will be much +more difficult. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +``` +--- +SV-230396: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230397: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230398: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230399: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230400: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230401: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + + + +``` +--- +SV-230402: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230403: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230404: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230405: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230406: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230407: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230408: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230409: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230410: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230411: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-230412: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "su" command allows a +user to run commands with a substitute user and group ID. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230413: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230418: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chage" command is +used to change or view user password expiry information. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230419: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chcon" command is +used to change file SELinux security context. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230421: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-agent" is a +program to hold private keys used for public key authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230422: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "passwd" command is +used to change passwords for user accounts. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230423: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" command is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230424: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "umount" command is +used to unmount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230425: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" syscall is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230426: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +"Unix_update" is a helper program for the "pam_unix" module that updates +the password for a given user. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230427: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postdrop" command creates a file in the maildrop directory and copies +its standard input to the file. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230428: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postqueue" command implements the Postfix user interface for queue +management. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230429: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "semanage" command is used to configure certain elements of SELinux +policy without requiring modification to or recompilation from policy sources. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230430: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setfiles" command is primarily used to initialize the security context +fields (extended attributes) on one or more filesystems (or parts of them). +Usually it is initially run as part of the SELinux installation process (a step +commonly known as labeling). + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230431: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "userhelper" command is not intended to be run interactively. +"Userhelper" provides a basic interface to change a user's password, gecos +information, and shell. The main difference between this program and its +traditional equivalents (passwd, chfn, chsh) is that prompts are written to +standard out to make it easy for a graphical user interface wrapper to +interface to it as a child process. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230432: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setsebool" command sets the current state of a particular SELinux +boolean or a list of booleans to a given value. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230433: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "unix_chkpwd" command is a helper program for the pam_unix module that +verifies the password of the current user. It also checks password and account +expiration dates in shadow. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230434: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-keysign" program +is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230435: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "setfacl" command is +used to set file access control lists. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230436: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "pam_timestamp_check" +command is used to check if the default timestamp is valid. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230437: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "newgrp" command is +used to change the current group ID during a login session. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230438: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230439: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230444: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "gpasswd" command is +used to administer /etc/group and /etc/gshadow. Every group can have +administrators, members and a password. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230446: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "delete_module" +command is used to unload a kernel module. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230447: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "crontab" command is +used to maintain crontab files for individual users. Crontab is the program +used to install, remove, or list the tables used to drive the cron daemon. This +is similar to the task scheduler used in other operating systems. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230448: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chsh" command is +used to change the login shell. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230449: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230455: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230456: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230462: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "sudo" command allows +a permitted user to execute a command as the superuser or another user, as +specified by the security policy. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230463: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "usermod" command +modifies the system account files to reflect the changes that are specified on +the command line. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230464: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chacl" command is +used to change the access control list of a file or directory. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230465: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "kmod" command is +used to control Linux Kernel modules. + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230466: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + + From "Pam_Faillock man" pages: Note the default directory that +pam_faillock uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230467: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230468: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230469: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + Allocating an audit_backlog_limit of sufficient size is critical in +maintaining a stable boot process. With an insufficient limit allocated, the +system is susceptible to boot failures and crashes. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +``` +--- +SV-230470: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230471: +Old: +``` +Without the capability to restrict the roles and individuals that can +select which events are audited, unauthorized personnel may be able to prevent +the auditing of critical events. Misconfigured audits may degrade the system's +performance by overwhelming the audit log. Misconfigured audits may also make +it more difficult to establish, correlate, and investigate the events relating +to an incident or identify those responsible for one. + +``` +New: +``` +Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-230472: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +``` +--- +SV-230473: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230474: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230475: +Old: +``` +Protecting the integrity of the tools used for auditing purposes is a +critical step toward ensuring the integrity of audit information. Audit +information includes all information (e.g., audit records, audit settings, and +audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + + It is not uncommon for attackers to replace the audit tools or inject code +into the existing tools with the purpose of providing the capability to hide or +erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed to +provide the capability to identify when the audit tools have been modified, +manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +New: +``` +Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +--- +SV-230476: +Old: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which +to write the audit logs, RHEL 8 needs to be able to allocate audit record +storage capacity. + + The task of allocating audit record storage capacity is usually performed +during initial installation of RHEL 8. + +``` +New: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. + +``` +--- +SV-230477: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230478: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "rsyslog-gnutls" (which is a secure +communications library implementing the SSL, TLS and DTLS protocols), and you +have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230479: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + + + +``` +--- +SV-230480: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230481: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230482: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + "Rsyslog" supported authentication modes include: + anon - anonymous authentication + x509/fingerprint - certificate fingerprint authentication + x509/certvalid - certificate validation only + x509/name - certificate validation and subject name authentication. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +"Rsyslog" supported authentication modes include: +anon - anonymous authentication +x509/fingerprint - certificate fingerprint authentication +x509/certvalid - certificate validation only +x509/name - certificate validation and subject name authentication. + + + +``` +--- +SV-230483: +Old: +``` +If security personnel are not notified immediately when storage volume + reaches 75 percent utilization, they are unable to plan for audit record + storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-230484: +Old: +``` +Inaccurate time stamps make it more difficult to correlate events and +can lead to an inaccurate analysis. Determining the correct time a particular +event occurred on a system is critical when conducting forensic analysis and +investigating system events. Sources outside the configured acceptable +allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of +time stamps for information systems with multiple system clocks and systems +connected over a network. + + Organizations should consider endpoints that may not have regular access to +the authoritative time server (e.g., mobile, teleworking, and tactical +endpoints). + + If time stamps are not consistently applied and there is no common time +reference, it is difficult to perform forensic analysis. + + Time stamps generated by the operating system include date and time. Time +is commonly expressed in Coordinated Universal Time (UTC), a modern +continuation of Greenwich Mean Time (GMT), or local time with an offset from +UTC. + + RHEL 8 utilizes the "timedatectl" command to view the status of the +"systemd-timesyncd.service". The "timedatectl" status will display the +local time, UTC, and the offset from UTC. + + Note that USNO offers authenticated NTP service to DoD and U.S. Government +agencies operating on the NIPR and SIPR networks. Visit +https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + +``` +New: +``` +Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + +RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. + +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + + + +``` +--- +SV-230487: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + The telnet service provides an unencrypted remote access service that does +not provide for the confidentiality and integrity of user passwords or the +remote session. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + +``` +--- +SV-230488: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230489: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230491: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + Kernel page-table isolation is a kernel feature that mitigates the Meltdown +security vulnerability and hardens the kernel against attempts to bypass kernel +address space layout randomization (KASLR). + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). + +``` +--- +SV-230492: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The rsh-server service provides an unencrypted remote access service that +does not provide for the confidentiality and integrity of user passwords or the +remote session and has very weak authentication. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + + + +``` +--- +SV-230493: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) +can result in subsequent compromises of organizational information. Providing +easy methods to physically disconnect from such devices after a collaborative +computing session helps to ensure participants actually carry out the +disconnect activity without having to go through complex and tedious procedures. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. + + + +``` +--- +SV-230494: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Asynchronous Transfer Mode (ATM) is a protocol operating on network, +data link, and physical layers, based on virtual circuits and virtual paths. +Disabling ATM protects the system against exploitation of any laws in its +implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. + +``` +--- +SV-230495: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Controller Area Network (CAN) is a serial communications protocol, +which was initially developed for automotive and is now also used in marine, +industrial, and medical applications. Disabling CAN protects the system against +exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230496: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Stream Control Transmission Protocol (SCTP) is a transport layer +protocol, designed to support the idea of message-oriented communication, with +several streams of messages within one connection. Disabling SCTP protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230497: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Transparent Inter-Process Communication (TIPC) protocol is designed to +provide communications between nodes in a cluster. Disabling TIPC protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230498: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Removing support for unneeded filesystem types reduces the local attack +surface of the server. + + Compressed ROM/RAM file system (or cramfs) is a read-only file system +designed for simplicity and space-efficiency. It is mainly used in embedded +and small-footprint systems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Removing support for unneeded filesystem types reduces the local attack surface of the server. + +Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. + +``` +--- +SV-230499: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time +communication. Disabling FireWire protects the system against exploitation of +any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230500: +Old: +``` +To prevent unauthorized connection of devices, unauthorized transfer +of information, or unauthorized tunneling (i.e., embedding of data types within +data types), organizations must disable or restrict unused or unnecessary +physical and logical ports/protocols on information systems. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services provided by default may not be +necessary to support essential organizational operations. Additionally, it is +sometimes convenient to provide multiple services from a single component +(e.g., VPN and IPS); however, doing so increases risk over limiting the +services provided by any one component. + + To support the requirements and principles of least functionality, the +operating system must support the organizational requirements, providing only +essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official +business or to address authorized quality-of-life issues. + +``` +New: +``` +To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. + +``` +--- +SV-230502: +Old: +``` +Automatically mounting file systems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + +``` +New: +``` +Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +``` +--- +SV-230503: +Old: +``` +USB mass storage permits easy introduction of unknown devices, thereby +facilitating malicious activity. + +``` +New: +``` +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + + + +``` +--- +SV-230504: +Old: +``` +Failure to restrict network connectivity only to authorized systems +permits inbound connections from malicious systems. It also permits outbound +connections that may facilitate exfiltration of DoD data. + + RHEL 8 incorporates the "firewalld" daemon, which allows for many +different configurations. One of these configurations is zones. Zones can be +utilized to a deny-all, allow-by-exception approach. The default "drop" zone +will drop all incoming network packets unless it is explicitly allowed by the +configuration file or is related to an outgoing network connection. + +``` +New: +``` +Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + +``` +--- +SV-230505: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-230506: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + + + +``` +--- +SV-230507: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + +``` +--- +SV-230508: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230509: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230510: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230511: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230512: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230513: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230514: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230515: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230516: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230517: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230518: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230519: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230520: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230521: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230522: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230523: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-230524: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-230525: +Old: +``` +DoS is a condition when a resource is not available for legitimate +users. When this occurs, the organization either cannot accomplish its mission +or must operate at degraded capacity. + + This requirement addresses the configuration of RHEL 8 to mitigate the +impact of DoS attacks that have occurred or are ongoing on system availability. +For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exists to limit +or, in some cases, eliminate the effects of DoS attacks (e.g., limiting +processes or establishing memory partitions). Employing increased capacity and +bandwidth, combined with service redundancy, may reduce the susceptibility to +some DoS attacks. + + Since version 0.6.0, "firewalld" has incorporated "nftables" as its +backend support. Utilizing the limit statement in "nftables" can help to +mitigate DoS attacks. + +``` +New: +``` +DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. + +``` +--- +SV-230526: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-230527: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + + Session key regeneration limits the chances of a session key becoming +compromised. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + + + +``` +--- +SV-230529: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230530: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230531: +Old: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the +console can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230532: +Old: +``` +The debug-shell requires no authentication and provides root +privileges to anyone who has physical access to the machine. While this +feature is disabled by default, masking it adds an additional layer of +assurance that it will not be enabled via a dependency in systemd. This also +prevents attackers with physical access from trivially bypassing security on +the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + +``` +New: +``` +The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +``` +--- +SV-230533: +Old: +``` +If TFTP is required for operational support (such as the transmission +of router configurations) its use must be documented with the Information +System Security Officer (ISSO), restricted to only authorized personnel, and +have access control rules established. + +``` +New: +``` +If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. + +``` +--- +SV-230534: +Old: +``` +If an account other than root also has a User Identifier (UID) of +"0", it has root authority, giving that account unrestricted access to the +entire operating system. Multiple accounts with a UID of "0" afford an +opportunity for potential intruders to guess a password for a privileged +account. + +``` +New: +``` +If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. + +``` +--- +SV-230550: +Old: +``` +If unrestricted mail relaying is permitted, unauthorized senders could +use this host as a mail relay for the purpose of sending spam or other +unauthorized activity. + +``` +New: +``` +If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. + +``` +--- +SV-230551: +Old: +``` +Extended attributes in file systems are used to contain arbitrary data +and file metadata with security implications. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230552: +Old: +``` +ACLs can provide permissions beyond those permitted through the file +mode and must be verified by file integrity tools. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230553: +Old: +``` +Internet services that are not required for system or application +processes must not be active to decrease the attack surface of the system. +Graphical display managers have a long history of security vulnerabilities and +must not be used, unless approved and documented. + +``` +New: +``` +Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + +``` +--- +SV-230554: +Old: +``` +Network interfaces in promiscuous mode allow for the capture of all +network traffic visible to the system. If unauthorized individuals can access +these applications, it may allow them to collect information such as logon IDs, +passwords, and key exchanges between systems. + + If the system is being used to perform a network troubleshooting function, +the use of these tools must be documented with the Information System Security +Officer (ISSO) and restricted to only authorized personnel. + +``` +New: +``` +Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. + +If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. + +``` +--- +SV-230555: +Old: +``` +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding. A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly requesting +X11 forwarding, which can warrant a "no" setting. + + X11 forwarding should be enabled with caution. Users with the ability to +bypass file permissions on the remote host (for the user's X11 authorization +database) can access the local X11 display through the forwarded connection. An +attacker may then be able to perform activities such as keystroke monitoring if +the ForwardX11Trusted option is also enabled. + + If X11 services are not required for the system's intended function, they +should be disabled or restricted as appropriate to the system’s needs. + +``` +New: +``` +The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. + +X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. + +``` +--- +SV-230556: +Old: +``` +When X11 forwarding is enabled, there may be additional exposure to +the server and client displays if the sshd proxy display is configured to +listen on the wildcard address. By default, sshd binds the forwarding server +to the loopback address and sets the hostname part of the DIPSLAY environment +variable to localhost. This prevents remote hosts from connecting to the proxy +display. + +``` +New: +``` +When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. + +``` +--- +SV-230557: +Old: +``` +Restricting TFTP to a specific directory prevents remote users from +copying, transferring, or overwriting system files. + +``` +New: +``` +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. + +``` +--- +SV-230558: +Old: +``` +The FTP service provides an unencrypted remote access that does not +provide for the confidentiality and integrity of user passwords or the remote +session. If a privileged user were to log on using this service, the privileged +user password could be compromised. SSH or other encrypted file transfer +methods must be used in place of this service. + +``` +New: +``` +The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. + +``` +--- +SV-230559: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The gssproxy package is a proxy for GSS API credential handling and could +expose secrets on some networks. It is not needed for normal function of the OS. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. + +``` +--- +SV-230560: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The iprutils package provides a suite of utilities to manage and configure +SCSI devices supported by the ipr SCSI storage device driver. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. + +``` +--- +SV-230561: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The tuned package contains a daemon that tunes the system settings +dynamically. It does so by monitoring the usage of several system components +periodically. Based on that information, components will then be put into lower +or higher power savings modes to adapt to the current usage. The tuned package +is not needed for normal OS operations. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. + +``` +--- +SV-237640: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-237641: +Old: +``` +The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password and confirms +your request to execute a command by checking a file, called sudoers. If the +"sudoers" file is not configured correctly, any user defined on the system +can initiate privileged actions on the target system. + +``` +New: +``` +The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. + +``` +--- +SV-237642: +Old: +``` +The sudoers security policy requires that users authenticate +themselves before they can use sudo. When sudoers requires authentication, it +validates the invoking user's credentials. If the rootpw, targetpw, or runaspw +flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the +sudoers(5) manual page. + +``` +New: +``` +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page. + +``` +--- +SV-237643: +Old: +``` +Without re-authentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the organization requires the user to +re-authenticate when using the "sudo" command. + + If the value is set to an integer less than 0, the user's time stamp will +not expire and the user will not have to re-authenticate for privileged actions +until the user's session is terminated. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +``` +--- +SV-244519: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + + +``` +--- +SV-244523: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-244524: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-244525: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-244526: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/ directory. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + + +``` +--- +SV-244527: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The rngd service feeds random data from hardware device to kernel random +device. Quality (non-predictable) random number generation is important for +several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-244528: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-244529: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-244530: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-244531: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-244532: +Old: +``` +If a local interactive user's files are group-owned by a group of +which the user is not a member, unintended users may be able to access them. + +``` +New: +``` +If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. + +``` +--- +SV-244533: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244534: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244535: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + + + +``` +--- +SV-244536: +Old: +``` +Leaving the user list enabled is a security risk since it allows +anyone with physical access to the system to enumerate known user accounts +without authenticated access to the system. + +``` +New: +``` +Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. + +``` +--- +SV-244538: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244539: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244541: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-244542: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-244543: +Old: +``` +If security personnel are not notified immediately when storage volume +reaches 75 percent utilization, they are unable to plan for audit record +storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-244544: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-244545: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244546: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244547: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244548: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244549: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-250315: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "faillock.conf" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + re-enabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250316: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "Pam_Faillock" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + reenabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250317: +Old: +``` +Routing protocol daemons are typically used on routers to exchange network + topology information with other routers. If this software is used when not required, + system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. + + All configuration files are sorted by their filename in lexicographic order, regardless + of which of the directories they reside in. If multiple files specify the same option, + the entry in the file with the lexicographically latest name will take precedence. + + Files are read from directories in the following list from top to bottom. Once a file of a + given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +--- +SV-251707: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate + testing and approvals that are part of a robust change management process. + + This requirement applies to RHEL 8 with software libraries that are accessible + and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs that execute with escalated privileges. Only + qualified and authorized individuals will be allowed to obtain access to + information system components for purposes of initiating changes, including + upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251708: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251709: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251710: +Old: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. + Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the + system security policy and supporting the isolation of code and data on which the protection is based. Security functionality + includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), + setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and + environments that require this functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-251711: +Old: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, + system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as + well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" + file allow configured users to run programs without re-authenticating. Use of these configuration + options makes it easier for one compromised account to be used to compromise other accounts. + + It is possible to include other sudoers files from within the sudoers file currently being parsed + using the #include and #includedir directives. When sudo reaches this line it will suspend + processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the + end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are + included may themselves include other files. A hard limit of 128 nested include files is enforced + to prevent include file loops. + +``` +New: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. + +``` +--- +SV-251712: +Old: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + + + +``` +--- +SV-254520: +Old: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +New: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +--- +
\ No newline at end of file diff --git a/src/assets/img/update_controls4delta_output.png b/src/assets/img/update_controls4delta_output.png new file mode 100644 index 000000000..fced845c8 Binary files /dev/null and b/src/assets/img/update_controls4delta_output.png differ diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index f5d06629a..91d6d3a07 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -15,6 +15,8 @@ To conduct the delta process, the following are needed: ::: note Using Generated Profile Stubs Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to use as a skeleton profile based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. + +For more information on this command, refer to the documentation for [`inspec_profile`](https://saf-cli.mitre.org/#inspec-profile) ::: The [Delta CLI Tools section](./03.md#31-cli-tools) covers specific requirements for both the `delta` and `update_controls4delta` commands. diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index e3ad674e3..29f377319 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -53,16 +53,19 @@ If there is no way to trace controls in baseline X to its corresponding controls The `delta` process extends the capabilities of the `update_controls4delta` process by providing the following functionalities: 1. Creates new controls found in updated guidances -3. Fuzzy matching capability (optional) +2. Fuzzy matching capability (optional) a - Maps controls based on similarity and not control IDs b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control 3. Detailed logging a - report file (.md), mapping statistics (CliProcessOutput.log) +
You can invoke the command as such: ``` saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` +
+ ::: tip Optional Fuzzy Matching Flags The `-M` and `-c` flags can be removed if not using fuzzy matching feature. ::: @@ -76,6 +79,7 @@ For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) - [saf generate delta](https://saf-cli.mitre.org/#delta) +
::: warning Delta Process Limitations This process has been tested using DISA XCCDF STIG Benchmark Guidances only. diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 0e29398fa..6fe9d4e17 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -6,12 +6,37 @@ author: Daniel Medina, George Dias --- ## 5.1 Logging Capabilities of Delta -### 5.1.1 Report Markdown File (.md) -Specified by the report flag (`-r`) +### 5.1.1 CLIProcessOutput.log + +A detailed log of the output of the command execution with additional information and metadata. + +[Example Log File Output](../../assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json -### 5.1.3 CLIProcessOutput.log +Automatically generated and outputted to the same directory as the outputted profile controls, this JSON file summarizes the results of the delta process. + +Results are summarized at the top of the report according to the type of change: +1. addedControlIDs: A list of new controls added to the profile +2. removedControlIDs: A list of controls removed from the profile +3. renamedControlIDs: A list of controls that had their IDs change +4. changedControlIDs: A list of controls with changes to the metadata + +Details of the changes are given afterwards as follows: + +1. addedControls: The contents of each control that was added to the profile +2. changedControls: The parts of each control that were modified / replaced during the command execution + +[Example delta.json file](../../assets/downloads/delta.json) + +### 5.1.3 Report Markdown File (.md) + +Specified by the report flag (`-r`), generates a markdown formatted report of the same information found in the delta.json file. + +[Example Report Markdown File](../../assets/downloads/report.md) + + +## 5.2 Logging Capabilities of Update Controls -Outputted to the directory where the delta process is being executed. \ No newline at end of file +![Example Output from update_controls4delta](../../assets/img/update_controls4delta_output.png) \ No newline at end of file diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md index 92e1baf55..077b08f6e 100644 --- a/src/courses/delta/06.md +++ b/src/courses/delta/06.md @@ -7,11 +7,11 @@ author: Daniel Medina, George Dias ## 6.1 InSpec Delta Formatting Process -### 6.1.2 Preparing the Profile Before Running Delta Process - Before performing delta process, it's beneficial to use a common format. Follow these steps: -1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. +### 6.1.1 Preparing the Profile Before Running Delta Process + +1. **Run Rubocop:** Install the Rubocop gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. ::: details Rubocop Configuration File (rubocop.yml) ``` @@ -315,15 +315,20 @@ Style/SwapValues: # new in 1.1 ## 6.2 Testing Commands +Upon completion of the delta process, you may want to test the correctness of the new and updated controls. + ### 6.2.1 Linting and validating controls: +The current available commands for testing are: + ``` bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile bundle exec rake lint # Run RuboCop bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) - bundle exec rake pre_commit_checks # pre-commit checks + bundle exec rake pre_commit_checks # Ensure the controls are ready to be committed into the repo ``` +
:::note Profile Controls Formatting In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md index 325c7ce3d..1e06e7d51 100644 --- a/src/courses/delta/README.md +++ b/src/courses/delta/README.md @@ -15,8 +15,9 @@ By the end of this class, you should be able to: - Understand the purpose of the SAF Delta process tools, `update_controls4delta` and `delta` - Use these tools to update inspec profiles - Understand how and where to apply these tools in different situations (Use Cases) +- Use the delta fuzzy matching system to map controls between two profiles - Be familiar with the delta process logging capabilities and generated artifacts -- Using the delta fuzzy matching system to map controls between two profiles by using +- Know how to format Inspec profile controls before and/or after executing delta commands ### 1.2 The Road to Conducting the Delta Process