diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml index 0d377e02e50..3888f53caf2 100644 --- a/.github/workflows/gate-lint-ansible-roles.yaml +++ b/.github/workflows/gate-lint-ansible-roles.yaml @@ -17,10 +17,10 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Configure - run: cmake -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_RHEL7=ON -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -G Ninja .. + run: cmake -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -DSSG_PRODUCT_RHEL10=ON -G Ninja .. working-directory: ./build - name: Build - run: ninja -j2 rhel9-profile-playbooks rhel8-profile-playbooks rhel7-profile-playbooks + run: ninja -j2 rhel10-profile-playbooks rhel9-profile-playbooks rhel8-profile-playbooks working-directory: ./build - name: Build Ansible Roles run: PYTHONPATH=. python3 utils/ansible_playbook_to_role.py --build-playbooks-dir ./build/ansible/ --dry-run ./build/ansible_roles diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 482c477ca01..ecc8d8a3db5 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -10,19 +10,19 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.number || github.run_id }} cancel-in-progress: true jobs: - validate-centos7: - name: Build, Test on CentOS 7 (Container) + validate-ol7: + name: Build, Test on Oracle Linux 7 (Container) runs-on: ubuntu-latest container: - image: centos:7 + image: oraclelinux:7.9 steps: - name: Install Deps - run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools + run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools openscap openscap-scanner - name: Checkout uses: actions/checkout@v3 - name: Build run: |- - ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives + ./build_product ol7 env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test @@ -165,7 +165,6 @@ jobs: fedora \ firefox \ rhcos4 \ - rhel7 \ rhel8 \ rhel9 \ rhel10 \ diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 452722f3e24..7b525faa2c7 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -41,7 +41,6 @@ jobs: openembedded \ openeuler2203 \ rhcos4 \ - rhel7 \ rhel8 \ rhel9 \ rhel10 \ diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index e48995a16c2..3193830d6fc 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -37,7 +37,7 @@ jobs: run: ninja render-policies -j2 working-directory: ./build - name: Generate Prometheus Metrics - run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel9 rhel8 rhel7 sle12 sle15 -f ./build/policies_metrics + run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 -f ./build/policies_metrics env: PYTHONPATH: ${{ github.workspace }} - name: Generate HTML pages diff --git a/.gitpod.launch.json b/.gitpod.launch.json index afc925121c5..8561911a422 100644 --- a/.gitpod.launch.json +++ b/.gitpod.launch.json @@ -24,7 +24,7 @@ "macos1015", "ocp4", "ol7", "ol8", - "opensuse","rhel7", "rhel8", "rhel9", + "opensuse", "rhel8", "rhel9", "rhosp10", "rhosp13", "rhv4", "sle12", "sle15", diff --git a/CMakeLists.txt b/CMakeLists.txt index 11037cb8505..84c41caf340 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -104,7 +104,6 @@ option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -118,7 +117,6 @@ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) # Products derivatives option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) -option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE) if("$ENV{PYTHONPATH}" STREQUAL "") set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}") @@ -332,7 +330,6 @@ message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}") message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}") message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}") message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") -message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}") message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}") message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}") @@ -430,9 +427,6 @@ endif() if(SSG_PRODUCT_OPENSUSE) add_subdirectory("products/opensuse" "opensuse") endif() -if(SSG_PRODUCT_RHEL7) - add_subdirectory("products/rhel7" "rhel7") -endif() if(SSG_PRODUCT_RHEL8) add_subdirectory("products/rhel8" "rhel8") endif() diff --git a/CODEOWNERS b/CODEOWNERS index f590d64ba9a..525ca2f7655 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -14,7 +14,6 @@ # Product Specific Control Files -/controls/cis_rhel7.yml @ComplianceAsCode/red-hatters /controls/cis_rhel8.yml @ComplianceAsCode/red-hatters /controls/cis_rhel9.yml @ComplianceAsCode/red-hatters /controls/cis_sle12.yml @ComplianceAsCode/suse-maintainers diff --git a/README.md b/README.md index 19f33470193..0d197b366b8 100644 --- a/README.md +++ b/README.md @@ -146,20 +146,20 @@ The `oscap` tool is a low-level command line interface that comes from the OpenSCAP project. It can be used to scan the local machine. ```bash -oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml +oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ``` Evaluation report sample After evaluation, the `arf.xml` file will contain all results in a reusable -*result data stream* (ARF) format, `report.html` will contain a human readable +*result data stream* (ARF) format, `report.html` will contain a human-readable report that can be opened in a browser. Replace the profile with other profile of your choice, you can display all possible choices using: ```bash -oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml +oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ``` Please see the [OpenSCAP](https://www.open-scap.org/) website for more information. @@ -200,7 +200,7 @@ To apply the playbook on your local machine run: (*THIS WILL CHANGE CONFIGURATION OF THE MACHINE!*) ```bash -ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel7-playbook-rht-ccp.yml +ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel9-playbook-ospp.yml ``` Each of the Ansible Playbooks contains instructions on how to deploy them. Here @@ -226,9 +226,9 @@ To see a list of available Bash scripts, run: ```bash # ls /usr/share/scap-security-guide/bash/ ... -rhel7-script-hipaa.sh -rhel7-script-ospp.sh -rhel7-script-pci-dss.sh +rhel8-script-hipaa.sh +rhel8-script-ospp.sh +rhel8-script-pci-dss.sh ... ``` diff --git a/build-scripts/build_sce.py b/build-scripts/build_sce.py index db49da865b9..11635b2f195 100755 --- a/build-scripts/build_sce.py +++ b/build-scripts/build_sce.py @@ -46,7 +46,7 @@ def parse_args(): p.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml" + "e.g.: ~/scap-security-guide/rhel9/product.yml" ) p.add_argument( "--templates-dir", required=True, diff --git a/build-scripts/build_templated_content.py b/build-scripts/build_templated_content.py index e9f095e0202..3999c58143c 100644 --- a/build-scripts/build_templated_content.py +++ b/build-scripts/build_templated_content.py @@ -18,12 +18,12 @@ def parse_args(): p.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml" + "e.g.: ~/scap-security-guide/rhel9/product.yml" ) p.add_argument( "--resolved-rules-dir", required=True, help="Directory with .yml resolved rule YAMLs. " - "e.g.: ~/scap-security-guide/build/rhel7/rules" + "e.g.: ~/scap-security-guide/build/rhel9/rules" ) p.add_argument( "--templates-dir", required=True, @@ -33,22 +33,22 @@ def parse_args(): p.add_argument( "--checks-dir", required=True, help="Path to which OVAL checks will be generated. " - "e.g.: ~/scap-security-guide/build/rhel7/checks" + "e.g.: ~/scap-security-guide/build/rhel9/checks" ) p.add_argument( "--platforms-dir", required=True, help="Path to directory which contains prebuilt platforms. " - "e.g.: ~/scap-security-guide/build/rhel7/platforms" + "e.g.: ~/scap-security-guide/build/rhel9/platforms" ) p.add_argument( "--cpe-items-dir", required=True, help="Path to directory which contains compiled CPE items. " - "e.g.: ~/scap-security-guide/build/rhel7/cpe_items" + "e.g.: ~/scap-security-guide/build/rhel9/cpe_items" ) p.add_argument( "--remediations-dir", required=True, help="Path to which remediations will be generated. " - "e.g.: ~/scap-security-guide/build/rhel7/fixes_from_templates" + "e.g.: ~/scap-security-guide/build/rhel9/fixes_from_templates" ) args = p.parse_args() return args diff --git a/build-scripts/build_xccdf.py b/build-scripts/build_xccdf.py index fde80a1ab01..cf70e3e37a4 100644 --- a/build-scripts/build_xccdf.py +++ b/build-scripts/build_xccdf.py @@ -32,22 +32,22 @@ def parse_args(): parser.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml" + "e.g.: ~/scap-security-guide/rhel9/product.yml" ) parser.add_argument( "--xccdf", required=True, help="Output XCCDF file. " - "e.g.: ~/scap-security-guide/build/rhel7/ssg-rhel7-xccdf.xml" + "e.g.: ~/scap-security-guide/build/rhel9/ssg-rhel9-xccdf.xml" ) parser.add_argument( "--ocil", required=True, help="Output OCIL file. " - "e.g.: ~/scap-security-guide/build/rhel7/ssg-rhel7-ocil.xml" + "e.g.: ~/scap-security-guide/build/rhel9/ssg-rhel9-ocil.xml" ) parser.add_argument( "--oval", required=True, help="Output OVAL file. " - "e.g.: ~/scap-security-guide/build/rhel7/ssg-rhel7-oval.xml" + "e.g.: ~/scap-security-guide/build/rhel9/ssg-rhel9-oval.xml" ) parser.add_argument( "--build-ovals-dir", @@ -61,7 +61,7 @@ def parse_args(): parser.add_argument( "--thin-ds-components-dir", help="Directory to store XCCDF, OVAL, OCIL, for thin data stream. (off: to disable)" - "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/" + "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/" "Fake profiles are used to create thin DS. Components are generated for each profile.", ) return parser.parse_args() diff --git a/build-scripts/collect_remediations.py b/build-scripts/collect_remediations.py index c463b05d36f..d54ae60d6d9 100755 --- a/build-scripts/collect_remediations.py +++ b/build-scripts/collect_remediations.py @@ -29,7 +29,7 @@ def parse_args(): p.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml" + "e.g.: ~/scap-security-guide/rhel9/product.yml" ) p.add_argument( "--resolved-rules-dir", required=True, diff --git a/build-scripts/combine_ovals.py b/build-scripts/combine_ovals.py index 22197a4d91c..1b08e65b4d4 100755 --- a/build-scripts/combine_ovals.py +++ b/build-scripts/combine_ovals.py @@ -38,7 +38,7 @@ def parse_args(): required=True, dest="product_yaml", help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml", + "e.g.: ~/scap-security-guide/rhel9/product.yml", ) p.add_argument( "--build-ovals-dir", diff --git a/build-scripts/compile_all.py b/build-scripts/compile_all.py index 09c74990621..4528b2d3269 100644 --- a/build-scripts/compile_all.py +++ b/build-scripts/compile_all.py @@ -25,7 +25,7 @@ def create_parser(): parser.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/products/rhel7/product.yml " + "e.g.: ~/scap-security-guide/products/rhel9/product.yml " "needed for autodetection of profile root" ) parser.add_argument( diff --git a/build-scripts/compile_product.py b/build-scripts/compile_product.py index d12f83244c8..5de845bd640 100644 --- a/build-scripts/compile_product.py +++ b/build-scripts/compile_product.py @@ -8,7 +8,7 @@ def create_parser(): parser.add_argument( "--product-yaml", required=True, help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/products/rhel7/product.yml " + "e.g.: ~/scap-security-guide/products/rhel9/product.yml " "needed for autodetection of profile root" ) parser.add_argument( diff --git a/build-scripts/compose_ds.py b/build-scripts/compose_ds.py index 60064516a29..74c8d49d5ae 100755 --- a/build-scripts/compose_ds.py +++ b/build-scripts/compose_ds.py @@ -183,7 +183,7 @@ def parse_args(): help="Directory where XCCDF, OVAL, OCIL files with lower case prefixes " "xccdf, oval, ocil are stored to build multiple data streams. " "Multiple streams are generated in the thin_ds subdirectory. (off: to disable) " - "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/", + "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/", ) return parser.parse_args() diff --git a/build-scripts/cpe_generate.py b/build-scripts/cpe_generate.py index abfe546ab7f..e3c5e9acbce 100755 --- a/build-scripts/cpe_generate.py +++ b/build-scripts/cpe_generate.py @@ -32,7 +32,7 @@ def parse_args(): p.add_argument( "--product-yaml", help="YAML file with information about the product we are building. " - "e.g.: ~/scap-security-guide/rhel7/product.yml " + "e.g.: ~/scap-security-guide/rhel9/product.yml " "needed for autodetection of profile root" ) p.add_argument( @@ -54,7 +54,7 @@ def parse_args(): p.add_argument( "--thin-ds-components-dir", help="Directory to store CPE OVAL for thin data stream. (off: to disable)" - "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/" + "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/" "Fake profiles are used to create thin DS. Components are generated for each profile." "The minimal cpe will be generated from the minimal XCCDF, " "which is in the same directory.", diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py index 4a81a85a645..3d83aae9ea2 100755 --- a/build-scripts/enable_derivatives.py +++ b/build-scripts/enable_derivatives.py @@ -25,10 +25,8 @@ oval_ns = ssg.constants.oval_namespace CENTOS_NOTICE_ELEMENT = ssg.xml.ElementTree.fromstring(ssg.constants.CENTOS_NOTICE) -SL_NOTICE_ELEMENT = ssg.xml.ElementTree.fromstring(ssg.constants.SL_NOTICE) CENTOS_WARNING = 'centos_warning' -SL_WARNING = 'sl_warning' def parse_args(): @@ -36,8 +34,6 @@ def parse_args(): parser = OptionParser(usage=usage) parser.add_option("--enable-centos", dest="centos", default=False, action="store_true", help="Enable CentOS") - parser.add_option("--enable-sl", dest="sl", default=False, - action="store_true", help="Enable Scientific Linux") parser.add_option("-i", "--input", dest="input_content", default=False, action="store", help="INPUT can be XCCDF or Source data stream") @@ -56,13 +52,6 @@ def parse_args(): (options, args) = parser.parse_args() - if options.centos and options.sl: - sys.stderr.write( - "Cannot enable two derivative OS(s) at the same time\n" - ) - parser.print_help() - sys.exit(1) - if not options.output and not options.input_content: parser.print_help() sys.exit(1) @@ -84,12 +73,6 @@ def main(): warning = CENTOS_WARNING derivative = "CentOS" - if options.sl: - mapping = ssg.constants.RHEL_SL_CPE_MAPPING - notice = SL_NOTICE_ELEMENT - warning = SL_WARNING - derivative = "Scientific Linux" - tree = ssg.xml.open_xml(options.input_content) root = tree.getroot() @@ -111,6 +94,9 @@ def main(): # intended to test content that will get into RHEL ssg.build_derivatives.profile_handling(benchmark, namespace) if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping): + import pprint + pprint.pprint(namespace) + pprint.pprint(mapping) raise RuntimeError( "Could not add derivative OS CPEs to Benchmark '%s'." % (benchmark) diff --git a/build_product b/build_product index e6fb86991b0..19c0605b58d 100755 --- a/build_product +++ b/build_product @@ -329,9 +329,6 @@ set_no_derivatives_options() { if grep -q 'rhel' <<< "${_arg_product[*]}"; then CMAKE_OPTIONS+=("-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF") fi - if grep -q 'rhel7' <<< "${_arg_product[*]}"; then - CMAKE_OPTIONS+=("-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF") - fi } set_explict_build_targets() { @@ -363,7 +360,6 @@ all_cmake_products=( OL8 OL9 OPENSUSE - RHEL7 RHEL8 RHEL9 RHEL10 diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake index 16d7845e6c6..0a687c1f379 100644 --- a/cmake/SSGCommon.cmake +++ b/cmake/SSGCommon.cmake @@ -28,7 +28,7 @@ # this wrapper you wouldn't have been able to do parallel builds of multiple # targets at once. E.g.: # -# $ make -j 4 rhel7-guides rhel7-stats +# $ make -j 4 rhel9-guides rhel9-stats # # Without the wrapper targets the command above would start generating the # XCCDF, OVAL and OCIL files 2 times in parallel which would result in @@ -500,9 +500,7 @@ macro(ssg_build_sds PRODUCT) ) set_tests_properties("verify-references-ssg-${PRODUCT}-ds.xml" PROPERTIES LABELS quick) if("${PRODUCT}" MATCHES "rhel") - if("${PRODUCT}" MATCHES "rhel7") - set(REFERENCES_CHECK_PROFILE_LIST anssi_nt28_high cis hipaa pci-dss) - elseif("${PRODUCT}" MATCHES "rhel8") + if("${PRODUCT}" MATCHES "rhel8") set(REFERENCES_CHECK_PROFILE_LIST anssi_bp28_high cis hipaa pci-dss) elseif("${PRODUCT}" MATCHES "rhel9") set(REFERENCES_CHECK_PROFILE_LIST anssi_bp28_high ccn_advanced cis pci-dss stig) diff --git a/controls/anssi.yml b/controls/anssi.yml index d02cd2523a8..79c88fb6c0a 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1362,7 +1362,7 @@ controls: PAM delegates requests for remote authentication to this service through a local Unix socket. The sssd service can use IPA, AD or LDAP as a remote database containing information required for authentication. In case IPA or AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked. - {{% if product in ["rhel7", "rhel8"] %}} + {{% if product in ["rhel8"] %}} An allternative solution is to use nss-pam-ldapd package. In case this package is used, we make sure that SSL is turned on and certificate is configured. {{% endif %}} @@ -1373,7 +1373,7 @@ controls: - sssd_enable_pam_services - sssd_ldap_configure_tls_reqcert - sssd_ldap_start_tls - {{% if product in ["rhel7", "rhel8"] %}} + {{% if product in ["rhel8"] %}} - ldap_client_start_tls - ldap_client_tls_cacertpath {{% endif %}} @@ -1418,12 +1418,9 @@ controls: securely to Samba domains. Other relevant services are NIS and Hesiod. These should not be used. status: automated - {{% if product in ["rhel7", "rhel8"] %}} + {{% if product in ["rhel8"] %}} rules: - no_nis_in_nsswitch - {{% if product == "rhel7" %}} - - no_hesiod_in_nsswitch - {{% endif %}} {{% endif %}} {{% else %}} status: pending diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml deleted file mode 100644 index f043f02d663..00000000000 --- a/controls/cis_rhel7.yml +++ /dev/null @@ -1,3098 +0,0 @@ -policy: 'CIS benchmark for Red Hat Enterprise Linux 7' -title: 'CIS benchmark for Red Hat Enterprise Linux 7' -id: cis_rhel7 -version: '4.0.0' -source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux -levels: - - id: l1_server - - id: l2_server - inherits_from: - - l1_server - - id: l1_workstation - - id: l2_workstation - inherits_from: - - l1_workstation -reference_type: cis -product: rhel7 - -controls: - - id: reload_dconf_db - title: Reload Dconf database - levels: - - l1_server - - l1_workstation - - l2_server - - l2_workstation - notes: <- - This is a helper rule to reload Dconf database correctly. - status: automated - rules: - - dconf_db_up_to_date - - - id: 1.1.1.1 - title: Ensure cramfs kernel module is not available (Automated) - levels: - - l1_workstation - - l1_server - status: automated - rules: - - kernel_module_cramfs_disabled - - - id: 1.1.1.2 - title: Ensure freevxfs kernel module is not available (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - kernel_module_freevxfs_disabled - - - id: 1.1.1.3 - title: Ensure hfs kernel module is not available (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - kernel_module_hfs_disabled - - - id: 1.1.1.4 - title: Ensure hfsplus kernel module is not available (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - kernel_module_hfsplus_disabled - - - id: 1.1.1.5 - title: Ensure jffs2 kernel module is not available (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - kernel_module_jffs2_disabled - - - id: 1.1.1.6 - title: Ensure squashfs kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_squashfs_disabled - - - id: 1.1.1.7 - title: Ensure udf kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_udf_disabled - - - id: 1.1.1.8 - title: Ensure usb-storage kernel module is not available (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - kernel_module_usb-storage_disabled - - - id: 1.1.2.1.1 - title: Ensure /tmp is a separate partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - partition_for_tmp - - - id: 1.1.2.1.2 - title: Ensure nodev option set on /tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_tmp_nodev - - - id: 1.1.2.1.3 - title: Ensure nosuid option set on /tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_tmp_nosuid - - - id: 1.1.2.1.4 - title: Ensure noexec option set on /tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_tmp_noexec - - - id: 1.1.2.2.1 - title: Ensure /dev/shm is a separate partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - partition_for_dev_shm - - - id: 1.1.2.2.2 - title: Ensure nodev option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_nodev - - - id: 1.1.2.2.3 - title: Ensure nosuid option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_nosuid - - - id: 1.1.2.2.4 - title: Ensure noexec option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_noexec - - - id: 1.1.2.3.1 - title: Ensure separate partition exists for /home (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_home - - - id: 1.1.2.3.2 - title: Ensure nodev option set on /home partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_home_nodev - - - id: 1.1.2.3.3 - title: Ensure nosuid option set on /home partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_home_nosuid - - - id: 1.1.2.4.1 - title: Ensure separate partition exists for /var (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var - - - id: 1.1.2.4.2 - title: Ensure nodev option set on /var partition (Automated) - - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_nodev - - - id: 1.1.2.4.3 - title: Ensure nosuid option set on /var partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_nosuid - - - id: 1.1.2.5.1 - title: Ensure separate partition exists for /var/tmp (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_tmp - - - id: 1.1.2.5.2 - title: Ensure nodev option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_nodev - - - id: 1.1.2.5.3 - title: Ensure nosuid option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_nosuid - - - id: 1.1.2.5.4 - title: Ensure noexec option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_noexec - - - id: 1.1.2.6.1 - title: Ensure separate partition exists for /var/log (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_log - - - id: 1.1.2.6.2 - title: Ensure nodev option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_nodev - - - id: 1.1.2.6.3 - title: Ensure nosuid option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_nosuid - - - id: 1.1.2.6.4 - title: Ensure noexec option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_noexec - - - id: 1.1.2.7.1 - title: Ensure separate partition exists for /var/log/audit (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_log_audit - - - id: 1.1.2.7.2 - title: Ensure noexec option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_nodev - - - id: 1.1.2.7.3 - title: Ensure nosuid option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_nosuid - - - id: 1.1.2.7.4 - title: Ensure noexec option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_noexec - - - id: 1.2.1 - title: Ensure GPG keys are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 1.2.2 - title: Ensure gpgcheck is globally activated (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled - - - id: 1.2.3 - title: Ensure repo_gpgcheck is globally activated (Manual) - levels: - - l2_server - - l2_workstation - status: manual - - - id: 1.2.4 - title: Ensure package manager repositories are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 1.2.5 - title: Ensure updates, patches, and additional security software are installed - levels: - - l1_server - - l1_workstation - status: manual - - - id: 1.3.1 - title: Ensure bootloader password is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - grub2_password - - grub2_uefi_password - - - id: 1.3.2 - title: Ensure permissions on bootloader config are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_grub2_cfg - - file_owner_grub2_cfg - - file_permissions_grub2_cfg - - file_groupowner_efi_grub2_cfg - - file_owner_efi_grub2_cfg - - file_permissions_efi_grub2_cfg - - file_groupowner_efi_user_cfg - - file_groupowner_user_cfg - - file_owner_efi_user_cfg - - file_owner_user_cfg - - file_permissions_efi_user_cfg - - file_permissions_user_cfg - - - id: 1.3.3 - title: Ensure authentication required for single user mode (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - require_emergency_target_auth - - require_singleuser_auth - - - id: 1.4.1 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_kernel_randomize_va_space - - - id: 1.4.2 - title: Ensure ptrace_scope is restricted - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_kernel_yama_ptrace_scope - - - id: 1.4.3 - title: Ensure core dump backtraces are disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - coredump_disable_backtraces - - - id: 1.4.4 - title: Ensure core dump storage is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - coredump_disable_storage - - - id: 1.5.1.1 - title: Ensure SELinux is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_libselinux_installed - - - id: 1.5.1.2 - title: Ensure SELinux is not disabled in bootloader configuration (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - grub2_enable_selinux # the rule does not check for uefi configuration - - - id: 1.5.1.3 - title: Ensure SELinux policy is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - selinux_policytype - - var_selinux_policy_name=targeted - - - id: 1.5.1.4 - title: Ensure the SELinux mode is not disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - selinux_not_disabled - - - id: 1.5.1.5 - title: Ensure the SELinux mode is enforcing - levels: - - l2_server - - l2_workstation - status: automated - notes: >- - The SELinux mode is set to "enforcing" by default. - Configuring the "permissive" mode greatly lowers security of the system. - If necessary, the mode can be changed by tailoring the "var_selinux_state" XCCDF variable. - rules: - - var_selinux_state=enforcing - - selinux_state - - - id: 1.5.1.6 - title: Ensure no unconfined services exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - selinux_confinement_of_daemons - - - id: 1.5.1.7 - title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_mcstrans_removed - - - id: 1.5.1.8 - title: Ensure SETroubleshoot is not installed - levels: - - l1_server - rules: - - package_setroubleshoot_removed - - - id: 1.6.1 - title: Ensure message of the day is configured properly (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - banner_etc_motd - - motd_banner_text=cis_banners - - - id: 1.6.2 - title: Ensure local login warning banner is configured properly (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - banner_etc_issue - - login_banner_text=cis_banners - - - id: 1.6.3 - title: Ensure remote login warning banner is configured properly (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - banner_etc_issue_net - - remote_login_banner_text=cis_banners - - - id: 1.6.4 - title: Ensure access on /etc/motd are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_motd - - file_owner_etc_motd - - file_permissions_etc_motd - - - id: 1.6.5 - title: Ensure access on /etc/issue are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_issue - - file_owner_etc_issue - - file_permissions_etc_issue - - - id: 1.6.6 - title: Ensure permissions on /etc/issue.net are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_issue_net - - file_owner_etc_issue_net - - file_permissions_etc_issue_net - - - id: 1.7.1 - title: Ensure GNOME Display Manager is removed (Automated) - levels: - - l2_server - status: automated - rules: - - package_gdm_removed - - - id: 1.7.2 - title: Ensure GDM login banner is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - login_banner_text=cis_banners - - - id: 1.7.3 - title: Ensure GDM disable-user-list option is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dconf_gnome_disable_user_list - - - id: 1.7.4 - title: Ensure GDM screen locks when the user is idle - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - - id: 1.7.5 - title: Ensure GDM screen locks cannot be overridden - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_user_locks - - - id: 1.7.6 - title: Ensure GDM automatic mounting of removable media is disabled - levels: - - l1_server - - l2_workstation - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.7.7 - title: Ensure GDM disabling automatic mounting of removable media is not overridden - levels: - - l1_server - - l2_workstation - status: automated - notes: |- - The rules in "Ensure GDM automatic mounting of removable media is disabled" also - cover the locks. - - - id: 1.7.8 - title: Ensure GDM autorun-never is enabled - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.7.9 - title: Ensure GDM autorun-never is not overridden - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Covered by "Ensure GDM autorun-never is enabled". - - - id: 1.7.10 - title: Ensure XDCMP is not enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - gnome_gdm_disable_xdmcp - - - id: 2.1.1 - title: Ensure time synchronization is in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_chrony_installed - - - id: 2.1.2 - title: Ensure chrony is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - chronyd_specify_remote_server - - var_multiple_time_servers=rhel - - - id: 2.1.3 - title: Ensure chrony is not run as the root user (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - chronyd_run_as_chrony_user - - - id: 2.2.1 - title: Ensure autofs services are not in use (Automated) - levels: - - l1_server - - l2_workstation - status: partial - notes: |- - We need package_autofs_removed to complete this control - rules: - - service_autofs_disabled - - - id: 2.2.2 - title: Ensure avahi daemon services are not in use (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - package_avahi_removed - related_rules: - - service_avahi-daemon_disabled - - - id: 2.2.3 - title: Ensure dhcp server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_dhcp_removed - related_rules: - - service_dhcpd_disabled - - - id: 2.2.4 - title: Ensure dns server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_bind_removed - related_rules: - - service_named_disabled - - - id: 2.2.5 - title: Ensure dnsmasq services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_dnsmasq_removed - - - id: 2.2.6 - title: Ensure samba file server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_samba_removed - related_rules: - - service_smb_disabled - - - id: 2.2.7 - title: Ensure ftp server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_vsftpd_removed - related_rules: - - service_vsftpd_disabled - - - id: 2.2.8 - title: Ensure message access server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_dovecot_removed - - package_cyrus-imapd_removed - related_rules: - - service_dovecot_disabled - # we might add a rule disabling cyrus-imapd service - - - id: 2.2.9 - title: Ensure network file system services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_nfs_disabled - related_rules: - - package_nfs-utils_removed - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization are - dependent on the nfs-utils package. - - - id: 2.2.10 - title: Ensure nis server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_ypserv_removed - related_rules: - - service_ypserv_disabled - - - id: 2.2.11 - title: Ensure print server services are not in use (Automated) - levels: - - l1_server - status: automated - rules: - - package_cups_removed - related_rules: - - service_cups_disabled - - - id: 2.2.12 - title: Ensure rpcbind services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_rpcbind_disabled - related_rules: - - package_rpcbind_removed - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization, and - the nfs-utils - package used for The Network File System (NFS), are dependent on the rpcbind - package. - - - id: 2.2.13 - title: Ensure rsync services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_rsync_removed - related_rules: - - service_rsyncd_disabled - - - id: 2.2.14 - title: Ensure snmp services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_net-snmp_removed - related_rules: - - service_snmpd_disabled - - - id: 2.2.15 - title: Ensure telnet server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_telnet-server_removed - related_rules: - - service_telnet_disabled - - - id: 2.2.16 - title: Ensure tftp server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_tftp-server_removed - related_rules: - - service_tftp_disabled - - - id: 2.2.17 - title: Ensure web proxy server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_squid_removed - related_rules: - - service_squid_disabled - - - id: 2.2.18 - title: Ensure web server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_httpd_removed - - package_nginx_removed - related_rules: - - service_httpd_disabled - # rule would be nice to disable nginx service - - - id: 2.2.19 - title: Ensure xinetd services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_xinetd_removed - related_rules: - - service_xinetd_disabled - - - id: 2.2.20 - title: Ensure X window server services are not in use (Automated) - levels: - - l2_server - status: automated - notes: >- - The rule also configures correct run level to prevent unbootable system. - rules: - - package_xorg-x11-server-common_removed - - xwindows_runlevel_target - - - id: 2.2.21 - title: Ensure mail transfer agents are configured for local-only mode (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - The rule has_nonlocal_mta currently checks for services listening only on - port 25, but the policy checks also for ports 465 and 587 - rules: - - postfix_network_listening_disabled - - var_postfix_inet_interfaces=loopback-only - - has_nonlocal_mta - - - id: 2.2.22 - title: Ensure only approved services are listening on a network interface (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 2.3.1 - title: Ensure ftp client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_ftp_removed - - - id: 2.3.2 - title: Ensure LDAP client is not installed (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - package_openldap-clients_removed - - - id: 2.3.3 - title: Ensure NIS Client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_ypbind_removed - - - id: 2.3.4 - title: Ensure telnet client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_telnet_removed - - - id: 2.3.5 - title: Ensure tftp client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_tftp_removed - - - id: 3.1.1 - title: Ensure IPv6 status is identified (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.1.2 - title: Ensure wireless interfaces are disabled (Automated) - levels: - - l1_server - status: automated - rules: - - wireless_disable_interfaces # the rule remediation is not exactly on par with the benchmark - - - id: 3.1.3 - title: Ensure bluetooth services are not in use (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - service_bluetooth_disabled - - - id: 3.2.1 - title: Ensure dccp kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_dccp_disabled - - - id: 3.2.2 - title: Ensure tipc kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_tipc_disabled - - - id: 3.2.3 - title: Ensure rds kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_rds_disabled - - - id: 3.2.4 - title: Ensure sctp kernel module is not available (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - kernel_module_sctp_disabled - - - id: 3.3.1 - title: Ensure IP forwarding is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - - id: 3.3.2 - title: Ensure packet redirect sending is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - - id: 3.3.3 - title: Ensure bogus ICMP responses are ignored (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - - id: 3.3.4 - title: Ensure broadcast ICMP requests are ignored (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - - id: 3.3.5 - title: Ensure ICMP redirects are not accepted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - - id: 3.3.6 - title: Ensure secure ICMP redirects are not accepted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - - id: 3.3.7 - title: Ensure Reverse Path Filtering is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - - id: 3.3.8 - title: Ensure source routed packets are not accepted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - - id: 3.3.9 - title: Ensure suspicious packets are logged (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - - id: 3.3.10 - title: Ensure TCP SYN Cookies is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - - id: 3.3.11 - title: Ensure IPv6 router advertisements are not accepted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - - id: 3.4.1.1 - title: Ensure iptables is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_iptables_installed - - - id: 3.4.1.2 - title: Ensure a single firewall configuration utility is in use (Automated) - levels: - - l1_server - - l1_workstation - status: partial - # rules: TODO - - - id: 3.4.2.1 - title: Ensure firewalld is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_iptables_installed - - package_firewalld_installed - - - id: 3.4.2.2 - title: Ensure firewalld service enabled and running (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_firewalld_enabled - - - id: 3.4.2.3 - title: Ensure firewalld drops unnecessary services and ports (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.2.4 - title: Ensure network interfaces are assigned to appropriate zone (Manual) - levels: - - l1_server - - l1_workstation - status: manual - rules: - - set_firewalld_appropriate_zone - related_rules: - - firewalld_sshd_port_enabled - - - id: 3.4.3.1 - title: Ensure nftables is installed (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - related_rules: - - package_nftables_installed - - - id: 3.4.3.2 - title: Ensure iptables are flushed with nftables (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.3.3 - title: Ensure an nftables table exists (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - related_rules: - - set_nftables_table - - var_nftables_family=inet - - var_nftables_table=filter - - - id: 3.4.3.4 - title: Ensure nftables base chains exist (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - related_rules: - - set_nftables_base_chain - - var_nftables_table=firewalld - - var_nftables_family=inet - - var_nftables_base_chain_names=chain_names - - var_nftables_base_chain_types=chain_types - - var_nftables_base_chain_hooks=chain_hooks - - var_nftables_base_chain_priorities=chain_priorities - - var_nftables_base_chain_policies=chain_policies - - - id: 3.4.3.5 - title: Ensure nftables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - related_rules: - - set_nftables_loopback_traffic - - - id: 3.4.3.6 - title: Ensure nftables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.3.7 - title: Ensure nftables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - related_rules: - - nftables_ensure_default_deny_policy - - - id: 3.4.3.8 - title: Ensure nftables service is enabled (Automated) - levels: - - l1_server - - l1_workstation - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - status: supported - related_rules: - - service_nftables_enabled - - - id: 3.4.3.9 - title: Ensure nftables rules are permanent (Automated) - levels: - - l1_server - - l1_workstation - notes: |- - RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is - iptables. nftables is supported in RHEL7 but is not expected by default. - status: supported - related_rules: - - var_nftables_master_config_file=sysconfig - - nftables_rules_permanent - - - id: 3.4.4.1.1 - title: Ensure iptables packages are installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Already covered by requirement 3.4.1.1. - related_rules: - - package_iptables_installed - - - id: 3.4.4.2.1 - title: Ensure iptables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_loopback_traffic - - - id: 3.4.4.2.2 - title: Ensure iptables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.4.2.3 - title: Ensure iptables rules exist for all open ports (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - Currently the check is only available in SCE and an automated remediation is not expected. - rules: - - iptables_rules_for_open_ports - - - id: 3.4.4.2.4 - title: Ensure iptables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - set_iptables_default_rule - - - id: 3.4.4.2.5 - title: Ensure iptables rules are saved (Automated) - levels: - - l1_server - - l1_workstation - status: pending # rule missing - - - id: 3.4.4.2.6 - title: Ensure iptables service is enabled and active (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - The remediations conflicts with service_firewalld_enabled. - Related to 3.4.1.2 which needs to be implemented first. - The CPE template "platform_service_enabled" is missing remediation conditionals. - # rules: - # - service_iptables_enabled - - - id: 3.4.4.3.1 - title: Ensure ip6tables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: pending # rule missing - - - id: 3.4.4.3.2 - title: Ensure ip6tables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.4.3.3 - title: Ensure ip6tables firewall rules exist for all open ports (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - Currently the check is only available in SCE and an automated remediation is not expected. - rules: - - ip6tables_rules_for_open_ports - - - id: 3.4.4.3.4 - title: Ensure ip6tables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - RHEL systems use firewalld for firewall management. Although the back-end for firewalld in - RHEL 7 is iptables, firewall-cmd is the recommended tool to manage firewall rules. This rule - is also missing OVAL: https://github.com/ComplianceAsCode/content/issues/11054 - rules: - - set_ip6tables_default_rule - - - id: 3.4.4.3.5 - title: Ensure ip6tables rules are saved (Automated) - levels: - - l1_server - - l1_workstation - status: pending # rule missing - - - id: 3.4.4.3.6 - title: Ensure ip6tables is enabled and active (Automated) - levels: - - l1_server - - l1_workstation - status: pending - related_rules: - - service_ip6tables_enabled - - - id: 4.1.1.1 - title: Ensure cron daemon is enabled and active (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_crond_enabled - - - id: 4.1.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab - - - id: 4.1.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly - - - id: 4.1.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily - - - id: 4.1.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly - - - id: 4.1.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly - - - id: 4.1.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d - - - id: 4.1.1.8 - title: Ensure crontab is restricted to authorized users (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_allow - - file_cron_allow_exists - - file_owner_cron_allow - - file_cron_deny_not_exist - - file_permissions_cron_allow - - - id: 4.1.2.1 - title: Ensure at is restricted to authorized users (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - It is necessary to create a rule to ensure the existence of at.allow. - file_cron_allow_exists can be used as reference for a new templated rule. - rules: - - file_groupowner_at_allow - - file_owner_at_allow - - file_at_deny_not_exist - - file_permissions_at_allow - - - id: 4.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - These rules only check the /etc/ssh/sshd_config file but the policy also mentions files in - /etc/ssh/sshd_config.d directory. New templated rules should be created for sshd_config.d. - rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config - - - id: 4.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key - - - id: 4.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key - - - id: 4.2.4 - title: Ensure sshd access is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_limit_user_access - - - id: 4.2.5 - title: Ensure sshd Banner is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner - - - id: 4.2.6 - title: Ensure sshd Ciphers are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_use_approved_ciphers - - sshd_approved_ciphers=cis_rhel7 - - - id: 4.2.7 - title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The requirement gives an example of 45 seconds, but is flexible about the values. It is only - necessary to ensure there is a timeout configured in alignment to the site policy. - rules: - - sshd_idle_timeout_value=5_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - - - id: 4.2.8 - title: Ensure sshd DisableForwarding is enabled (Automated) - levels: - - l2_server - - l1_workstation - status: pending - notes: |- - New templated rule is necessary for "disableforwarding" option. - related_rules: - - sshd_disable_tcp_forwarding - - sshd_disable_x11_forwarding - - - id: 4.2.9 - title: Ensure sshd GSSAPIAuthentication is disabled (Automated) - levels: - - l2_server - - l1_workstation - status: automated - rules: - - sshd_disable_gssapi_auth - - - id: 4.2.10 - title: Ensure sshd HostbasedAuthentication is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - disable_host_auth - - - id: 4.2.11 - title: Ensure sshd IgnoreRhosts is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_rhosts - - - id: 4.2.12 - title: Ensure sshd KexAlgorithms is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_use_strong_kex - - sshd_strong_kex=cis_rhel7 - - - id: 4.2.13 - title: Ensure sshd LoginGraceTime is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 - - - id: 4.2.14 - title: Ensure sshd LogLevel is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The CIS benchmark is not opinionated about which loglevel is selected here. Here, this - profile uses VERBOSE by default, as it allows for the capture of login and logout activity - as well as key fingerprints. - rules: - - sshd_set_loglevel_verbose - related_rules: - - sshd_set_loglevel_info - - - id: 4.2.15 - title: Ensure sshd MACs are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_use_strong_macs - - sshd_strong_macs=cis_rhel7 - - - id: 4.2.16 - title: Ensure sshd MaxAuthTries is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries - - - id: 4.2.17 - title: Ensure sshd MaxSessions is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 - - - id: 4.2.18 - title: Ensure sshd MaxStartups is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 - - - id: 4.2.19 - title: Ensure sshd PermitEmptyPasswords is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_empty_passwords - - - id: 4.2.20 - title: Ensure sshd PermitRootLogin is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_root_login - - - id: 4.2.21 - title: Ensure sshd PermitUserEnvironment is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_do_not_permit_user_env - - - id: 4.2.22 - title: Ensure sshd UsePAM is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_enable_pam - - - id: 4.3.1 - title: Ensure sudo is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_sudo_installed - - - id: 4.3.2 - title: Ensure sudo commands use pty (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_add_use_pty - - - id: 4.3.3 - title: Ensure sudo log file exists (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_custom_logfile - - var_sudo_logfile=var_log_sudo_log - - - id: 4.3.4 - title: Ensure users must provide password for escalation (Automated) - levels: - - l2_server - - l2_workstation - status: automated - notes: |- - The rule sudo_require_authentication can probably be split to better attend requirements - 4.3.4 and 4.3.5. - rules: - - sudo_require_authentication - - - id: 4.3.5 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The rule sudo_require_authentication can probably be split to better attend requirements - 4.3.4 and 4.3.5. - rules: - - sudo_require_authentication - - - id: 4.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - The OVAL check in sudo_require_reauthentication ensures the timestamp_timeout parameter but - is not precisely testing the value. - rules: - - sudo_require_reauthentication - - var_sudo_timestamp_timeout=15_minutes - - - id: 4.3.7 - title: Ensure access to the su command is restricted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. - rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty - - - id: 4.4.1.1 - title: Ensure latest version of pam is installed (Automated) - levels: - - l1_server - - l1_workstation - status: pending - notes: |- - It is necessary a new rule to ensure PAM package is updated. - - - id: 4.4.1.2 - title: Ensure libpwquality is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_pam_pwquality_installed - - - id: 4.4.2.1.1 - title: Ensure pam_faillock module is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - This requirement is more specifically satisfied by 4.4.2.1.2. - related_rules: - - accounts_passwords_pam_faillock_deny - - - id: 4.4.2.1.2 - title: Ensure lockout for failed password attempts is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=5 - - - id: 4.4.2.1.3 - title: Ensure password unlock time is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 - - - id: 4.4.2.1.4 - title: Ensure password failed attempts lockout includes root account (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - accounts_passwords_pam_faillock_deny_root - - - id: 4.4.2.2.1 - title: Ensure pam_pwquality module is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: pending - notes: |- - This requirement is probably automatically satisfied when by the 4.4.1.2. - It is necessary to better investigate the scenarios to confirm. - related_rules: - - package_pam_pwquality_installed - - - id: 4.4.2.2.2 - title: Ensure password number of changed characters is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_pam_difok - - var_password_pam_difok=2 - - - id: 4.4.2.2.3 - title: Ensure password length is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_pam_minlen - - var_password_pam_minlen=14 - - - id: 4.4.2.2.4 - title: Ensure password complexity is configured (Manual) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - This requirement is expected to be manual. However, in previous versions of the policy - it was already automated the configuration of "minclass" option. This posture was kept for - RHEL 7 in this new version. Rules related to other options are informed in related_rules. - In short, minclass=4 alone can achieve the same result achieved by the combination of the - other 4 options mentioned in the policy. - rules: - - accounts_password_pam_minclass - - var_password_pam_minclass=4 - related_rules: - - accounts_password_pam_dcredit - - accounts_password_pam_lcredit - - accounts_password_pam_ocredit - - accounts_password_pam_ucredit - - - id: 4.4.2.2.5 - title: Ensure password same consecutive characters is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_pam_maxrepeat - - var_password_pam_maxrepeat=3 - - - id: 4.4.2.2.6 - title: Ensure password maximum sequential characters is configured (Automated) - levels: - - l1_server - - l1_workstation - status: planned - notes: |- - A new templated rule and variable are necessary for the maxsequence option. - - - id: 4.4.2.2.7 - title: Ensure password dictionary check is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_pam_dictcheck - - var_password_pam_dictcheck=1 - - - id: 4.4.2.3.1 - title: Ensure pam_pwhistory module is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The module is properly enabled by the rules mentioned in related_rules. - Requirement 4.4.2.3.2 uses these rules more specifically. - related_rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - - id: 4.4.2.3.2 - title: Ensure password history remember is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=24 - - - id: 4.4.2.3.3 - title: Ensure password history is enforced for the root user (Automated) - levels: - - l1_server - - l1_workstation - status: planned - notes: |- - A new rule needs to be created to check and remediate the enforce_for_root option in - /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. - - - id: 4.4.2.3.4 - title: Ensure pam_pwhistory includes use_authtok (Automated) - levels: - - l1_server - - l1_workstation - status: pending - notes: |- - We don't have a rule to check and remediate this option specifically in RHEL7. - related_rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - - id: 4.4.2.4.1 - title: Ensure pam_unix does not include nullok (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_empty_passwords - - - id: 4.4.2.4.2 - title: Ensure pam_unix does not include remember (Automated) - levels: - - l1_server - - l1_workstation - status: pending - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommened by this policy. Instead, it should be used remember option of pam_pwhistory - module, as required in 4.4.2.3.2. See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - A new rule needs to be created to remove the remember option from pam_unix module. - - - id: 4.4.2.4.3 - title: Ensure pam_unix includes a strong password hashing algorithm (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1. - rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - - id: 4.4.2.4.4 - title: Ensure pam_unix includes use_authtok (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - In RHEL 7 pam_unix is enabled by default already with the use_authtok option set. - In any case, we don't have a rule to check this option specifically. Similar to 4.4.2.3.4. - - - id: 4.5.1.1 - title: Ensure strong password hashing algorithm is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 - - - id: 4.5.1.2 - title: Ensure password expiration is 365 days or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_maximum_age_login_defs - - accounts_password_set_max_life_existing - - var_accounts_maximum_age_login_defs=365 - - - id: 4.5.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_set_warn_age_existing - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - - id: 4.5.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - account_disable_post_pw_expiration - - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=30 - - - id: 4.5.1.5 - title: Ensure all users last password change date is in the past (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_last_change_is_in_past - - - id: 4.5.2.1 - title: Ensure default group for the root account is GID 0 (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_gid_zero - - - id: 4.5.2.2 - title: Ensure root user umask is configured (Automated) - levels: - - l1_server - - l1_workstation - status: pending - notes: |- - There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have - to be created. It can be based on accounts_umask_interactive_users. - - - id: 4.5.2.3 - title: Ensure system accounts are secured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts - - - id: 4.5.2.4 - title: Ensure root password is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - ensure_root_password_configured - - - id: 4.5.3.1 - title: Ensure nologin is not listed in /etc/shells (Automated) - levels: - - l2_server - - l2_workstation - status: pending - notes: |- - It is necessary to create a new rule to check and remove nologin from /etc/shells. - The no_tmux_in_shells rule can be used as referece. - - - id: 4.5.3.2 - title: Ensure default user shell timeout is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_tmout - - var_accounts_tmout=15_min - - - id: 4.5.3.3 - title: Ensure default user umask is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - It is missing a rule to check /etc/pam.d/postlogin. Files /etc/bash.bashrc and - /etc/default/login are not used in RHEL 7, but are mentioned in the policy. It has to be - clarified in CIS Community. The policy allows the user to override the default system umask - on its discretion. This is the reason the accounts_umask_interactive_users rule is in - related_rules. If this changes in the future, the rule can be used to ensure that users do - not override the system default. - rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 - related_rules: - - accounts_umask_interactive_users - - - id: 5.1.1.1 - title: Ensure rsyslog is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_rsyslog_installed - - - id: 5.1.1.2 - title: Ensure rsyslog service is enabled (Manual) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - This requirement is expected to be manual in the policy because there are valid cases where - other solutions are used for logging. rsyslog is the default in RHEL 8 and so far other - solutions are not expected to be incompatible with rsyslog. If so, for these particular - cases, this rule should be removed for those systems by a tailored file. - rules: - - service_rsyslog_enabled - - - id: 5.1.1.3 - title: Ensure journald is configured to send logs to rsyslog (Manual) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_forward_to_syslog - - - id: 5.1.1.4 - title: Ensure rsyslog default file permissions are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_filecreatemode - - - id: 5.1.1.5 - title: Ensure logging is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 5.1.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - rsyslog_remote_loghost - - - id: 5.1.1.7 - title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_nolisten - - - id: 5.1.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - package_systemd-journal-remote_installed - - - id: 5.1.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 5.1.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 5.1.2.1.4 - title: Ensure journald is not configured to receive logs from a remote client (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - socket_systemd-journal-remote_disabled - - - id: 5.1.2.2 - title: Ensure journald service is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_systemd-journald_enabled - - - id: 5.1.2.3 - title: Ensure journald is configured to compress large log files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_compress - - - id: 5.1.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_storage - - - id: 5.1.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 5.1.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 5.1.3 - title: Ensure logrotate is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled - - - id: 5.1.4 - title: Ensure all logfiles have appropriate access configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_files_permissions - - rsyslog_files_ownership - - rsyslog_files_groupownership - - - id: 5.2.1.1 - title: Ensure auditd is installed (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - package_audit_installed - - package_audit-libs_installed - - - id: 5.2.1.2 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - grub2_audit_argument - - - id: 5.2.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) - levels: - - l2_server - - l2_workstation - status: automated - notes: <- - Note that currently the value is hardcoded to 8192 - rules: - - grub2_audit_backlog_limit_argument - - - id: 5.2.1.4 - title: Ensure auditd service is enabled (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - service_auditd_enabled - - - id: 5.2.2.1 - title: Ensure audit log storage size is configured (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 - - - id: 5.2.2.2 - title: Ensure audit logs are not automatically deleted (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs - - - id: 5.2.2.3 - title: Ensure system is disabled when audit logs are full (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - auditd_data_disk_full_action - - var_auditd_disk_full_action=cis_rhel7 - - auditd_data_disk_error_action - - var_auditd_disk_error_action=cis_rhel7 - - - id: 5.2.2.4 - title: Ensure system warns when audit logs are low on space (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - auditd_data_retention_space_left_action - - var_auditd_space_left_action=cis_rhel7 - - auditd_data_retention_action_mail_acct - - var_auditd_action_mail_acct=root - - auditd_data_retention_admin_space_left_action - - var_auditd_admin_space_left_action=cis_rhel7 - - - id: 5.2.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_sysadmin_actions - - - id: 5.2.3.2 - title: Ensure actions as another user are always logged (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_suid_auid_privilege_function - - - id: 5.2.3.3 - title: Ensure events that modify the sudo log file are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_sudo_log_events - - - id: 5.2.3.4 - title: Ensure events that modify date and time information are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime - - - id: 5.2.3.5 - title: Ensure events that modify the system's network environment are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_networkconfig_modification - - audit_rules_networkconfig_modification_network_scripts - - - id: 5.2.3.6 - title: Ensure use of privileged commands are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_privileged_commands - - - id: 5.2.3.7 - title: Ensure unsuccessful file access attempts are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - - id: 5.2.3.8 - title: Ensure events that modify user/group information are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - - id: 5.2.3.9 - title: Ensure discretionary access control permission modification events are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - - id: 5.2.3.10 - title: Ensure successful file system mounts are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_media_export - - - id: 5.2.3.11 - title: Ensure session initiation information is collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_session_events - - - id: 5.2.3.12 - title: Ensure login and logout events are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - - id: 5.2.3.13 - title: Ensure file deletion events by users are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - - id: 5.2.3.14 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share - - - id: 5.2.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_execution_chcon - - - id: 5.2.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_execution_setfacl - - - id: 5.2.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_execution_chacl - - - id: 5.2.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_privileged_commands_usermod - - - id: 5.2.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_kernel_module_loading_create - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_query - - audit_rules_privileged_commands_kmod - - - id: 5.2.3.20 - title: Ensure the audit configuration is immutable (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_immutable - - - id: 5.2.3.21 - title: Ensure the running and on disk configuration is the same (Manual) - levels: - - l2_server - - l2_workstation - status: manual - - - id: 5.2.4.1 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - directory_permissions_var_log_audit - - - id: 5.2.4.2 - title: Ensure audit log files are mode 0640 or less permissive (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_permissions_var_log_audit - - - id: 5.2.4.3 - title: Ensure only authorized users own audit log files (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_ownership_var_log_audit_stig - - - id: 5.2.4.4 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_group_ownership_var_log_audit - - - id: 5.2.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_permissions_audit_configuration - - - id: 5.2.4.6 - title: Ensure audit configuration files are owned by root (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_ownership_audit_configuration - - - id: 5.2.4.7 - title: Ensure audit configuration files belong to group root (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_groupownership_audit_configuration - - - id: 5.2.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_permissions_audit_binaries - - - id: 5.2.4.9 - title: Ensure audit tools are owned by root (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_ownership_audit_binaries - - - id: 5.2.4.10 - title: Ensure audit tools belong to group root (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - file_groupownership_audit_binaries - - - id: 5.3.1 - title: Ensure AIDE is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_aide_installed - - aide_build_database - - - id: 5.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_periodic_cron_checking - - - id: 6.1.1 - title: Ensure permissions on /etc/passwd are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_passwd - - file_owner_etc_passwd - - file_permissions_etc_passwd - - - id: 6.1.2 - title: Ensure permissions on /etc/passwd- are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_backup_etc_passwd - - file_owner_backup_etc_passwd - - file_permissions_backup_etc_passwd - - - id: 6.1.3 - title: Ensure permissions on /etc/group are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_group - - file_owner_etc_group - - file_permissions_etc_group - - - id: 6.1.4 - title: Ensure permissions on /etc/group- are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_backup_etc_group - - file_owner_backup_etc_group - - file_permissions_backup_etc_group - - - id: 6.1.5 - title: Ensure permissions on /etc/shadow are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_shadow - - file_owner_etc_shadow - - file_permissions_etc_shadow - - - id: 6.1.6 - title: Ensure permissions on /etc/shadow- are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_backup_etc_shadow - - file_owner_backup_etc_shadow - - file_permissions_backup_etc_shadow - - - id: 6.1.7 - title: Ensure permissions on /etc/gshadow are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_etc_gshadow - - file_owner_etc_gshadow - - file_permissions_etc_gshadow - - - id: 6.1.8 - title: Ensure permissions on /etc/gshadow- are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_backup_etc_gshadow - - file_owner_backup_etc_gshadow - - file_permissions_backup_etc_gshadow - - - id: 6.1.9 - title: Ensure permissions on /etc/shells are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_owner_etc_shells - - file_groupowner_etc_shells - - file_permissions_etc_shells - - - id: 6.1.10 - title: Ensure permissions on /etc/security/opasswd are configured (Automated) - levels: - - l1_server - - l1_workstation - status: partial - rules: - # We need another rule that checks /etc/security/opasswd.old - - file_etc_security_opasswd - - - id: 6.1.11 - title: Ensure world writable files and directories are secured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_permissions_unauthorized_world_writable - - dir_perms_world_writable_sticky_bits - - - id: 6.1.12 - title: Ensure no unowned or ungrouped files or directories exist (Automated) - levels: - - l1_server - - l1_workstation - status: partial - rules: - # TODO: add rules for unowned/ungrouped directories - - no_files_unowned_by_user - - file_permissions_ungroupowned - - - id: 6.1.13 - title: Ensure SUID and SGID files are reviewed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 6.1.14 - title: Audit system file permissions (Manual) - levels: - - l2_server - - l2_workstation - status: manual - - - id: 6.2.1 - title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_all_shadowed - - - id: 6.2.2 - title: Ensure /etc/shadow password fields are not empty (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_empty_passwords_etc_shadow - - - id: 6.2.3 - title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - gid_passwd_group_same - - - id: 6.2.4 - title: Ensure no duplicate UIDs exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - account_unique_id - - - id: 6.2.5 - title: Ensure no duplicate GIDs exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - group_unique_id - - - id: 6.2.6 - title: Ensure no duplicate user names exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - account_unique_name - - - id: 6.2.7 - title: Ensure no duplicate group names exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - group_unique_name - - - id: 6.2.8 - title: Ensure root path integrity (Automated) - levels: - - l1_server - - l1_workstation - status: partial - rules: - # TODO: add non root owned directories - - accounts_root_path_dirs_no_write - - root_path_no_dot - - - id: 6.2.9 - title: Ensure root is the only UID 0 account (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_no_uid_except_zero - - - id: 6.2.10 - title: Ensure local interactive user home directories are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_user_interactive_home_directory_exists - - file_ownership_home_directories - - file_permissions_home_directories - - - id: 6.2.11 - title: Ensure local interactive user dot files access is configured (Automated) - levels: - - l1_server - - l1_workstation - notes: |- - According to the RHEL 7 CIS Benchmark guidance, the incompliant .forward - and .rhost files should be investigated and remediated manually. - However, in other profiles we remediate the rule using the automated - remediation. - status: partial - # TODO: add rule checking that .bash_history is mode 0600 or more restrictive - rules: - - accounts_user_dot_group_ownership - - accounts_user_dot_user_ownership - - file_permission_user_init_files - - var_user_initialization_files_regex=all_dotfiles - - no_forward_files - - no_rsh_trust_files - - accounts_users_netrc_file_permissions diff --git a/docs/manual/developer/02_building_complianceascode.md b/docs/manual/developer/02_building_complianceascode.md index 012b33da806..3e03b5a9e61 100644 --- a/docs/manual/developer/02_building_complianceascode.md +++ b/docs/manual/developer/02_building_complianceascode.md @@ -30,16 +30,10 @@ less ~/OpenSCAP/STARTGUIDE.md ## Installing build dependencies ### Required Dependencies -On *Red Hat Enterprise Linux 7* make sure the following packages are installed: - -```bash -yum install cmake make openscap-utils openscap-scanner -``` - On *Red Hat Enterprise Linux 8* and *Fedora* the package list but must also include python3: ```bash -yum install cmake make openscap-utils openscap-scanner python3 +dnf install cmake make openscap-utils openscap-scanner python3 ``` On *Ubuntu* and *Debian*, make sure the packages `libopenscap8`, @@ -273,15 +267,15 @@ cd build/ cmake ../ # To build all security content make -j4 -# To build security content for one specific product, for example for *Red Hat Enterprise Linux 7* -make -j4 rhel7 +# To build security content for one specific product, for example for *Red Hat Enterprise Linux 9* +make -j4 rhel9 ``` Or use the `build_product` script from the base directory that removes whatever is in the `build` directory and builds a specific product: ```bash -./build_product rhel7 +./build_product rhel9 ``` For more information about available options, call `./build_product --help`. @@ -293,12 +287,12 @@ To build specific content for a specific product: ```bash cd build/ cmake ../ -make -j4 rhel7-content # SCAP XML files for RHEL7 -make -j4 rhel7-guides # HTML guides for RHEL7 -make -j4 rhel7-tables # HTML tables for RHEL7 -make -j4 rhel7-profile-bash-scripts # remediation Bash scripts for all RHEL7 profiles -make -j4 rhel7-profile-playbooks # Ansible Playbooks for all RHEL7 profiles -make -j4 rhel7 # everything above for RHEL7 +make -j4 rhel9-content # SCAP XML files for RHEL9 +make -j4 rhel9-guides # HTML guides for RHEL9 +make -j4 rhel9-tables # HTML tables for RHEL9 +make -j4 rhel9-profile-bash-scripts # remediation Bash scripts for all RHEL9 profiles +make -j4 rhel9-profile-playbooks # Ansible Playbooks for all RHEL9 profiles +make -j4 rhel9 # everything above for RHEL9 ``` ### Building thin The Datastreams @@ -362,7 +356,7 @@ make -j4 stats # display statistics in text format for all products make -j4 profile-stats # display statistics in text format for all profiles in all products ``` -You can also create statistics per product. Prepend the product name (e.g.: `rhel7-stats`) to the make target. +You can also create statistics per product. Prepend the product name (e.g.: `rhel9-stats`) to the make target. #### HTML Output @@ -422,19 +416,19 @@ it will be the `content/build` folder. ### SCAP XML files The SCAP XML files will be called `ssg-${PRODUCT}-${TYPE}.xml`. For example -`ssg-rhel7-ds.xml` is the SCAP 1.3 *Red Hat Enterprise Linux 7* **source data stream**. +`ssg-rhel9-ds.xml` is the SCAP 1.3 *Red Hat Enterprise Linux 9* **source data stream**. We recommend using **source data stream** if you have a choice. The build system also generates separate XCCDF, OVAL, OCIL and CPE files: ```bash -$ ls -1 ssg-rhel7-*.xml -ssg-rhel7-cpe-dictionary.xml -ssg-rhel7-cpe-oval.xml -ssg-rhel7-ds.xml -ssg-rhel7-ocil.xml -ssg-rhel7-oval.xml -ssg-rhel7-xccdf.xml +$ ls -1 ssg-rhel9-*.xml +ssg-rhel9-cpe-dictionary.xml +ssg-rhel9-cpe-oval.xml +ssg-rhel9-ds.xml +ssg-rhel9-ocil.xml +ssg-rhel9-oval.xml +ssg-rhel9-xccdf.xml ``` These can be ingested by any SCAP-compatible scanning tool, to enable automated @@ -442,16 +436,19 @@ checking. ### HTML Guides -The human readable HTML guide index files will be called -`ssg-${PRODUCT}-guide-index.html`. For example `ssg-rhel7-guide-index.html`. +The human-readable HTML guide index files will be called +`ssg-${PRODUCT}-guide-index.html`. For example `ssg-rhel9-guide-index.html`. This file will let the user browse all profiles available for that product. The prose guide HTML contains practical, actionable information for auditors -and administrators. They are placed in the guides folder. -```bash -$ ls -1 guides/ssg-rhel7-*.html -guides/ssg-rhel7-guide-ospp42.html -guides/ssg-rhel7-guide-ospp.html -guides/ssg-rhel7-guide-pci-dss.html +and administrators. They are placed in the `guides` folder. +```bash +$ ls -1 guides/ssg-rhel9-*.html +guides/ssg-rhel9-guide-anssi_bp28_enhanced.html +guides/ssg-rhel9-guide-anssi_bp28_high.html +guides/ssg-rhel9-guide-anssi_bp28_intermediary.html +guides/ssg-rhel9-guide-anssi_bp28_minimal.html +guides/ssg-rhel9-guide-ccn_advanced.html +guides/ssg-rhel9-guide-ccn_basic.html ... ``` @@ -460,15 +457,14 @@ Spreadsheet HTML tables - potentially useful as the basis for a *Security Requirements Traceability Matrix (SRTM) document*: ```bash -$ ls -1 tables/table-rhel7-*.html -... -tables/table-rhel7-nistrefs-ospp.html -tables/table-rhel7-nistrefs-stig.html -tables/table-rhel7-pcidssrefs.html -tables/table-rhel7-srgmap-flat.html -tables/table-rhel7-srgmap.html -tables/table-rhel7-stig.html -... +$ ls -1 tables/table-rhel9-*.html +tables/table-rhel9-cces.html +tables/table-rhel9-srgmap-flat.html +tables/table-rhel9-srgmap.html +tables/table-rhel9-stig_gui-testinfo.html +tables/table-rhel9-stig.html +tables/table-rhel9-stig-manual.html +tables/table-rhel9-stig-testinfo.html ``` ### Ansible Playbooks @@ -476,43 +472,52 @@ tables/table-rhel7-stig.html #### Profile Ansible Playbooks These Playbooks contain the remediations for a profile. ```bash -$ ls -1 ansible/rhel7-playbook-*.yml -ansible/rhel7-playbook-C2S.yml -ansible/rhel7-playbook-ospp.yml -ansible/rhel7-playbook-pci-dss.yml +$ ls -1 ansible/rhel9-playbook-*.yml +ansible/rhel9-playbook-anssi_bp28_enhanced.yml +ansible/rhel9-playbook-anssi_bp28_high.yml +ansible/rhel9-playbook-anssi_bp28_intermediary.yml +ansible/rhel9-playbook-anssi_bp28_minimal.yml +ansible/rhel9-playbook-ccn_advanced.yml +ansible/rhel9-playbook-ccn_basic.yml +ansible/rhel9-playbook-ccn_intermediate.yml + ... ``` #### Rule Ansible Playbooks These Playbooks contain just the remediation for a rule, in the context of a profile. ```bash -$ ls -1 ansible/rhel7-playbook-*.yml -$ ls -1 rhel7/playbooks/pci-dss/*.yml -rhel7/playbooks/pci-dss/account_disable_post_pw_expiration.yml -rhel7/playbooks/pci-dss/accounts_maximum_age_login_defs.yml -rhel7/playbooks/pci-dss/accounts_password_pam_dcredit.yml -rhel7/playbooks/pci-dss/accounts_password_pam_lcredit.yml +$ ls -1 rhel9/playbooks/pci-dss/*.yml | head +rhel9/playbooks/pci-dss/account_disable_post_pw_expiration.yml +rhel9/playbooks/pci-dss/accounts_maximum_age_login_defs.yml +rhel9/playbooks/pci-dss/accounts_no_uid_except_zero.yml +rhel9/playbooks/pci-dss/accounts_password_pam_dcredit.yml ... ``` - +~~ #### Rule SCE Checks These scripts contain SCE content for the specified rule. ```bash -$ ls -1 ubuntu2004/checks/sce/ -accounts_users_own_home_directories.sh +$ ls -1 rhel9/checks/sce/ +ip6tables_rules_for_open_ports.sh +iptables_rules_for_open_ports.sh metadata.json +set_iptables_outbound_n_established.sh +set_nftables_base_chain.sh +set_nftables_table.sh +ssh_keys_passphrase_protected.sh ``` ### Profile Bash Scripts These Bash Scripts contains the remediations for a profile. ```bash -$ ls -1 bash/rhel7-script-*.sh -bash/rhel7-script-C2S.sh +$ ls -1 bash/rhel9-script-*.sh +bash/rhel9-script-anssi_bp28_enhanced.sh ... -bash/rhel7-script-ospp.sh -bash/rhel7-script-pci-dss.sh +bash/rhel9-script-e8.sh +bash/rhel9-script-hipaa.sh ... ``` @@ -660,7 +665,7 @@ To build all the content, run a container without any flags. docker run --cap-drop=all --name oscap-content oscap:latest ``` -Using `docker cp` to copy all the generated content to the your host: +Using `docker cp` to copy all the generated content to your host: ```bash docker cp oscap-content:/home/oscap/content/build $(pwd)/container_build diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md index b264d591431..96419b7fecb 100644 --- a/docs/manual/developer/03_creating_content.md +++ b/docs/manual/developer/03_creating_content.md @@ -160,16 +160,16 @@ multiple benchmarks in our project: The **Linux OS** benchmark describes Linux Operating System in general. This benchmark is used by multiple ComplianceAsCode products, eg. -`rhel7`, `fedora`, `ubuntu1604`, `sle15` etc. The benchmark is located +`rhel9`, `fedora`, `ubuntu1604`, `sle15` etc. The benchmark is located in `/linux_os/guide`. The products specify which benchmark they use as a source of content in their `product.yml` file using `benchmark_root` key. For example, -`rhel7` product specifies that it uses the Linux OS benchmark. +`rhel9` product specifies that it uses the Linux OS benchmark. - $ cat products/rhel7/product.yml - product: rhel7 - full_name: Red Hat Enterprise Linux 7 + $ cat products/rhel9/product.yml + product: rhel9 + full_name: Red Hat Enterprise Linux 9 type: platform benchmark_root: "../linux_os/guide" @@ -241,7 +241,7 @@ layout: - **Do not** use capital letters - If product versions are required, use major or LTS versions only. For - example, `rhel7`, `ubuntu2004`, etc. + example, `rhel9`, `ubuntu2004`, etc. - If the content does not depend on specific versions, **do not** add version numbers. For example: `fedora`, `firefox`, etc. @@ -251,8 +251,8 @@ using and navigating the content. For example: - $ tree -d products/rhel7 - products/rhel7 + $ tree -d products/rhel9 + products/rhel9 ├── kickstart ├── overlays ├── profiles @@ -363,7 +363,7 @@ all_cmake_products=(
 ...
 product_directories = ['debian11', 'fedora', 'ol7', 'ol8', 'opensuse',
-                       'rhel7', 'rhel8', 'sle12',
+                       'rhel8', 'rhel9', 'sle12',
                        'ubuntu1604', 'ubuntu1804', 'rhosp13',
                        'chromium', 'eap6', 'firefox',
                        'example', 'custom6']
@@ -964,7 +964,7 @@ controls:
     - https://my-ticket-tracker.com/issue/2
 ```
 
-
+(controls_file_format)=
 ### Controls file format
 
 This is a complete schema of the YAML file format.
@@ -1068,6 +1068,7 @@ controls:
       - other-policy:other-control
 ```
 
+(auto_ref_controls_to_rules)=
 ### Using Controls for Automated Reference Assignment to Rules
 
 Control files inherently establish the correspondence between the requirements of a specified policy and individual rules.
@@ -1242,7 +1243,7 @@ the different status options that were documented earlier in this
 documentation.
 
 ```
-$ utils/controleval.py stats -i cis_rhel7 -l l2_server
+$ utils/controleval.py stats -i cis_rhel9 -l l2_server -p rhel9
 ```
 
 For more details about the `controleval.py` too, run `utils/controleval.py --help`.
diff --git a/docs/manual/developer/05_tools_and_utilities.md b/docs/manual/developer/05_tools_and_utilities.md
index 07c8d7c4bd8..7c6817b7594 100644
--- a/docs/manual/developer/05_tools_and_utilities.md
+++ b/docs/manual/developer/05_tools_and_utilities.md
@@ -37,7 +37,7 @@ For example, to subtract selected rules from a given profile based on
 rules selected by another profile, run this command:
 
 ```bash
-    $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --profile2 rhel7/profiles/pci-dss.profile
+    $ ./build-scripts/profile_tool.py sub --profile1 rhel9/profiles/ospp.profile --profile2 rhel9/profiles/pci-dss.profile
 ```
 
 This will result in a new YAML profile containing exclusive rules to the
diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
index 13ee30506bb..d3096eb14e6 100644
--- a/docs/manual/developer/06_contributing_with_content.md
+++ b/docs/manual/developer/06_contributing_with_content.md
@@ -273,19 +273,19 @@ A rule may contain those reference-type attributes:
     
     

http://www.us-cert.gov/cas/techalerts

No

-

US-CERT technical cyber security alerts –the identifier value SHOULD be a technical cyber security alert ID (e.g., “TA05-189A”)

+

US-CERT technical cybersecurity alerts –the identifier value SHOULD be a technical cybersecurity alert ID (e.g., “TA05-189A”)

When the rule is related to RHEL, it should have a CCE. A CEE (e.g. - : CCE-80328-8) is used as a global identifier that maps + : CCE-80328-8) is used as a global identifier that maps the rule to the product over the lifetime of a rule. There should only be one CCE mapped to a rule as a global identifier. Any other usage of CCE is no longer considered a best practice. CCEs are also product dependent which means that a different CCE must be used for each different product and product version. For example if - `cce@rhel7: 80328-8` exists in a rule, that CCE cannot be used for + `cce@rhel9: 80328-8` exists in a rule, that CCE cannot be used for another product or version (e.g. rhel9), and the CCE MUST be retired with the rule. Available CCEs that can be assigned to new rules are listed in the `shared/references/cce-rhel-avail.txt` file. @@ -293,12 +293,14 @@ A rule may contain those reference-type attributes: - `references`: This is related to the compliance document line items that the rule applies to. These can be attributes such as `stigid`, `srg`, `nist`, etc., whose keys may be modified with a product - (e.g., `stigid@rhel7`) to restrict what products a reference + (e.g., `stigid@rhel9`) to restrict what products a reference identifier applies to. Depending on the type of reference (e.g. catalog, ruleid, etc.) will depend on how many can be added to a single rule. In addition, certain references in a rule such as `stigid` or `cis` only apply to a certain product and product version; they cannot be used for multiple products and versions. + Some references are automatically added by controls files. + See the [Controls File Format](#auto_ref_controls_to_rules) for more details. @@ -437,15 +439,21 @@ remediation. A rule may be selected by any number of profiles, so when the scanner is scanning using a profile the rule is included in, the rule is taken into account. For example, the rule identified by `partition_for_tmp` defined in -`shared/xccdf/system/software/disk_partitioning.xml` is included in the -`RHEL7 C2S` profile in `rhel7/profiles/C2S.xml`. +`linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml` is included in the +`RHEL9 OSPP` profile in `rhel9/profiles/ospp.yml`. Checks are connected to rules by the `oval` element and the filename in -which it is found. Remediations (i.e. fixes) are assigned to rules based -on their basename. Therefore, the rule `sshd_print_last_log` has a +which it is found. +For example, the rule `auditd_data_retention_space_left_percentage` oval check is located at +`linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml`. + + +Remediations (i.e. fixes) are assigned to rules based +on their basename. Therefore, the rule `auditd_data_retention_space_left_percentage` has a `bash` fix associated as there is a `bash` script -`shared/fixes/bash/sshd_print_last_log.sh`. As there is an Ansible -playbook `shared/fixes/ansible/sshd_print_last_log.yml`, the rule has +`linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh`. +As there is an Ansible +playbook `linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml`, the rule has also an Ansible fix associated. #### Rule Deprecation @@ -481,7 +489,7 @@ structure of a rule directory looks like the following example: linux_os/guide/system/group/rule_id/rule.yml linux_os/guide/system/group/rule_id/bash/ol7.sh linux_os/guide/system/group/rule_id/bash/shared.sh - linux_os/guide/system/group/rule_id/oval/rhel7.xml + linux_os/guide/system/group/rule_id/oval/rhel9.xml linux_os/guide/system/group/rule_id/oval/shared.xml To be considered a rule directory, it must be a directory contained in a @@ -511,22 +519,22 @@ then contain the following subdirectories: In each of these subdirectories, a file named `shared.ext` will apply to all products and be included in all builds, but `{{{ product }}}.ext` will only get included in the build for `{{{ product }}}` (e.g., -`rhel7.xml` above will only be included in the build of the `rhel7` +`rhel9.xml` above will only be included in the build of the `rhel9` guide content and not in the `ol7` content). Additionally, we support -the use of unversioned products here (e.g., `rhel` applies to `rhel7`, -`rhel8`, and `rhel9`). Note that `.ext` must be substituted for the +the use of unversioned products here (e.g., `rhel` applies to `rhel9`, +`rhel8`, and `rhel10`). Note that `.ext` must be substituted for the correct extension for content of that type (e.g., `.sh` for `bash` content). Further, all of these directories are optional and will only be searched for content if present. Lastly, the product naming of content will not override the contents of `platform` field in -the content itself (e.g., if `rhel7` is not present in the `rhel7.xml` +the content itself (e.g., if `rhel9` is not present in the `rhel9.xml` OVAL check platform specifier, it will be included in the build artifacts but later removed because it doesn't match the platform). This means that any shared (or templated) checks won't be searched if a product-specific file is present but has the wrong applicability; this includes shared checks being preferred above templated checks. -Currently the build system supports both rule files (discussed above) +Currently, the build system supports both rule files (discussed above) and rule directories. For example content in this format, please see rules in `linux_os/guide`. @@ -551,10 +559,10 @@ supports several commands on a given rule: products, and their actual platforms. - `mod_checks.py delete ` - delete the OVAL for the - the specified product. + specified product. - `mod_checks.py make_shared ` - moves the product - OVAL to the shared OVAL (e.g., `rhel7.xml` to `shared.xml`). + OVAL to the shared OVAL (e.g., `rhel9.xml` to `shared.xml`). - `mod_checks.py diff ` - Performs a diff between two OVALs (product can be `shared` to diff against the @@ -577,7 +585,7 @@ OVAL with the following commands: If all of the platforms in `match` exist in the original `platform` of the rule, they are removed and the platforms in `replace` are added. -This utility requires an up to date JSON tree created by +This utility requires an up-to-date JSON tree created by `rule_dir_json.py`. #### `utils/mod_fixes.py` @@ -593,7 +601,7 @@ remediation language: for the specified product. - `mod_fixes.py make_shared ` - moves the - product fix to the shared fix (e.g., `rhel7.sh` to `shared.sh`). + product fix to the shared fix (e.g., `rhel9.sh` to `shared.sh`). - `mod_fixes.py diff ` - Performs a diff between two fixes (product can be `shared` to diff against @@ -1013,7 +1021,7 @@ of supported platforms. Following, you can see an example of a bash remediation that sets the maximum number of days a password may be used: - # platform = Red Hat Enterprise Linux 7 + # platform = Red Hat Enterprise Linux 10 {{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs) }}} grep -q ^PASS_MAX_DAYS /etc/login.defs && \ @@ -1097,8 +1105,8 @@ accordingly. The general form is the following: name: template_name vars: param_name: value # these parameters are individual for each template - param_name@rhel7: value1 - param_name@rhel8: value2 + param_name@rhel9: value1 + param_name@rhel10: value2 backends: # optional ansible: "off" bash: "on" # on is implicit value diff --git a/docs/manual/user/10_install.md b/docs/manual/user/10_install.md index 9fa881bc1b7..6fc5ed34fda 100644 --- a/docs/manual/user/10_install.md +++ b/docs/manual/user/10_install.md @@ -7,12 +7,6 @@ What files will that be depends on the distribution, but for example on Fedora, ## Installing from distribution packages -### Red Hat Enterprise Linux 7 - -``` -$ sudo yum -y install scap-security-guide -``` - ### Fedora / Red Hat Enterprise Linux 8+ ``` $ sudo dnf -y install scap-security-guide diff --git a/docs/manual/user/20_scanning.md b/docs/manual/user/20_scanning.md index 251e4b41b2a..5401c9810e8 100644 --- a/docs/manual/user/20_scanning.md +++ b/docs/manual/user/20_scanning.md @@ -168,7 +168,7 @@ fi # END OF SCRIPT ``` -This output could be redirected to a bash script, or built into your RHEL7 provisioning process (e.g. the %post section of a kickstart). +This output could be redirected to a bash script, or built into your RHEL provisioning process (e.g. the %post section of a kickstart). #### Ansible Playbooks diff --git a/docs/manual/user/30_content_notes.md b/docs/manual/user/30_content_notes.md index 81e04a087fa..96352d0d664 100644 --- a/docs/manual/user/30_content_notes.md +++ b/docs/manual/user/30_content_notes.md @@ -14,6 +14,7 @@ Below is list of products that have been removed from the project. | McAfee VirusScan Enterprise for Linux (VESL) | December 31, 2021 | [content 0.1.65](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65) | | Red Hat Enterprise Linux 5 | March 31, 2017 | [content 0.1.34](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.34) | | Red Hat Enterprise Linux 6 | June 1, 2022 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) | +| Red Hat Enterprise Linux 7 | June 31, 2024 | [content 0.1.73](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.73) | | Red Hat Enterprise Virtualization Manager 3 | September 30, 2018 | [content 0.1.38](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.38) | | Red Hat OpenShift Container Platform 3 | June 1, 2022 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) | | Red Hat OpenStack Platform 7 | August 5, 2018 | [content 0.1.41](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41) | diff --git a/docs/workshop/data/accounts_tmout/bash/shared.sh b/docs/workshop/data/accounts_tmout/bash/shared.sh index 454571a875d..a682f7b3ba0 100644 --- a/docs/workshop/data/accounts_tmout/bash/shared.sh +++ b/docs/workshop/data/accounts_tmout/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol {{{ bash_instantiate_variables("var_accounts_tmout") }}} if grep --silent ^TMOUT /etc/profile ; then diff --git a/docs/workshop/data/accounts_tmout/rule_yml b/docs/workshop/data/accounts_tmout/rule_yml index acbe212a52b..7ece849afbb 100644 --- a/docs/workshop/data/accounts_tmout/rule_yml +++ b/docs/workshop/data/accounts_tmout/rule_yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27557-8 cce@rhel8: CCE-80673-7 cce@rhel9: CCE-83633-8 cce@sle12: CCE-83011-7 @@ -26,7 +25,6 @@ identifiers: references: anssi: R29 cis-csc: 1,12,15,16 - cis@rhel7: 5.5.4 cis@rhel8: 5.5.3 cis@sle12: 5.5.4 cis@sle15: 5.4.4 @@ -44,7 +42,6 @@ references: ospp: FMT_MOF_EXT.1 srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-040160 - stigid@rhel7: RHEL-07-040160 stigid@sle12: SLES-12-010090 stigid@sle15: SLES-15-010130 stigid@ubuntu2004: UBTU-20-010013 diff --git a/docs/workshop/lab1_introduction.adoc b/docs/workshop/lab1_introduction.adoc index 0ac772dbf03..bd9e13b9e2e 100644 --- a/docs/workshop/lab1_introduction.adoc +++ b/docs/workshop/lab1_introduction.adoc @@ -167,8 +167,8 @@ Though the `var_accounts_tmout.var` file contains the variable description--whic . The rule is parameterized per profile. This is because there can be multiple profiles in one data stream file, one rule can exist in multiple profiles, and it can be parameterized differently in different profiles. + -To see how the rule is connected to its variable, you have to review the respective profile definition, -press `Ctrl+P` and open `products/rhel8/profiles/ospp.profile`. +To see how the rule is connected to its variable, you have to review the respective profile definition, +press `Ctrl+P` and open `products/rhel8/profiles/ospp.profile`. Then search for `accounts_tmout` with: .. In the editor, press `Ctrl+F` to search for `accounts_tmout`. @@ -278,7 +278,7 @@ Remediations can be found under `bash`, `ansible`, `anaconda`, and `puppet` dire For example, in the `accounts_tmout` rule there is a remediation in the form of a Bash script located in the `bash` subdirectory of the rule's directory. See the contents of the `bash` directory--there is a `shared.sh` file in it. The `shared` basename has a special meaning--it indicates that the remediation can be used with any product. -If the remediation is named `rhel8.sh`, it means that it is a RHEL8-only remediation and cannot be used to remediate RHEL7 systems. +If the remediation is named `rhel8.sh`, it means that it is a RHEL8-only remediation and cannot be used to remediate other RHEL systems such as RHEL9 systems. This naming convention is relevant for all types of additional content. Unlike checks, you can review remediations in the guide--there is a clickable `Remediation Shell Script` link to do so. diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index db2e7a83e4f..7727dd51938 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -31,7 +31,6 @@ platforms: identifiers: cce@rhcos4: CCE-82556-2 - cce@rhel7: CCE-27339-1 cce@rhel8: CCE-80685-1 cce@rhel9: CCE-83830-0 cce@sle12: CCE-83106-5 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 - stigid@rhel7: RHEL-07-030410 stigid@rhel8: RHEL-08-030490 stigid@sle12: SLES-12-020460 stigid@sle15: SLES-15-030290 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index 6f99c1785ad..3fabdc98f19 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -31,7 +31,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82557-0 - cce@rhel7: CCE-27364-9 cce@rhel8: CCE-80686-9 cce@rhel9: CCE-83812-8 cce@sle12: CCE-83137-0 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 - stigid@rhel7: RHEL-07-030370 stigid@rhel8: RHEL-08-030480 stigid@sle12: SLES-12-020420 stigid@sle15: SLES-15-030250 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index 5ce9bce970e..1fba93202b0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82558-8 - cce@rhel7: CCE-27393-8 cce@rhel8: CCE-80687-7 cce@rhel9: CCE-83832-6 cce@sle12: CCE-83133-9 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 - stigid@rhel7: RHEL-07-030410 stigid@rhel8: RHEL-08-030490 stigid@sle12: SLES-12-020460 stigid@sle15: SLES-15-030290 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index 4c82c79ab22..a8f9c909446 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82559-6 - cce@rhel7: CCE-27388-8 cce@rhel8: CCE-80688-5 cce@rhel9: CCE-83822-7 cce@sle12: CCE-83132-1 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 - stigid@rhel7: RHEL-07-030410 stigid@rhel8: RHEL-08-030490 stigid@sle12: SLES-12-020460 stigid@sle15: SLES-15-030290 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index f75efb6c8fa..3432cd5fdd3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -31,7 +31,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82560-4 - cce@rhel7: CCE-27356-5 cce@rhel8: CCE-80689-3 cce@rhel9: CCE-83829-2 cce@sle12: CCE-83136-2 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 - stigid@rhel7: RHEL-07-030370 stigid@rhel8: RHEL-08-030480 stigid@sle12: SLES-12-020420 stigid@sle15: SLES-15-030250 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index 6849af3b133..4e639339adc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82561-2 - cce@rhel7: CCE-27387-0 cce@rhel8: CCE-80690-1 cce@rhel9: CCE-83831-8 cce@sle12: CCE-83134-7 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 - stigid@rhel7: RHEL-07-030370 stigid@rhel8: RHEL-08-030480 stigid@sle12: SLES-12-020420 stigid@sle15: SLES-15-030250 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index b5cab80488c..8a6434ee9e0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -45,7 +45,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82562-0 - cce@rhel7: CCE-27353-2 cce@rhel8: CCE-80691-9 cce@rhel9: CCE-83821-9 cce@sle12: CCE-83138-8 @@ -73,7 +72,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000064-GPOS-00033,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 4371c108151..2d8b4347e18 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -40,7 +40,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82563-8 - cce@rhel7: CCE-27389-6 cce@rhel8: CCE-80692-7 cce@rhel9: CCE-83817-7 cce@sle12: CCE-83141-2 @@ -68,7 +67,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000466-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 8f6ec660b8d..a43ad074618 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -31,7 +31,6 @@ platforms: identifiers: cce@rhcos4: CCE-82564-6 - cce@rhel7: CCE-27083-5 cce@rhel8: CCE-80693-5 cce@rhel9: CCE-83833-4 cce@sle12: CCE-83135-4 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 - stigid@rhel7: RHEL-07-030370 stigid@rhel8: RHEL-08-030480 stigid@sle12: SLES-12-020420 stigid@sle15: SLES-15-030250 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 21f3bc523ca..588d106f90b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -45,7 +45,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82565-3 - cce@rhel7: CCE-27410-0 cce@rhel8: CCE-80694-3 cce@rhel9: CCE-83814-4 cce@sle12: CCE-83139-6 @@ -73,7 +72,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index 89abb0fe2ed..31779cebf68 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -40,7 +40,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82566-1 - cce@rhel7: CCE-27280-7 cce@rhel8: CCE-80695-0 cce@rhel9: CCE-83808-6 cce@sle12: CCE-83256-8 @@ -68,7 +67,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000466-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index 1ea4fb02ec7..7910e5d0670 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -44,7 +44,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82567-9 - cce@rhel7: CCE-27367-2 cce@rhel8: CCE-80696-8 cce@rhel9: CCE-83807-8 cce@sle12: CCE-83140-4 @@ -72,7 +71,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 0b6a54c1cf3..bc7b190fd41 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -40,7 +40,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82568-7 - cce@rhel7: CCE-27213-8 cce@rhel8: CCE-80697-6 cce@rhel9: CCE-83811-0 cce@sle12: CCE-83142-0 @@ -68,7 +67,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 - stigid@rhel7: RHEL-07-030440 stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030190 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index 16da550386c..227064f9a5e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90777-4 cce@rhel8: CCE-90776-6 cce@rhel9: CCE-88570-7 cce@sle12: CCE-83219-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index d303fe34779..901e46d900f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86256-5 cce@rhel8: CCE-89446-9 cce@rhel9: CCE-87685-4 cce@sle12: CCE-83190-9 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index aa8c37418f6..3815e20b002 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90756-8 cce@rhel8: CCE-88437-9 cce@rhel9: CCE-90482-1 cce@sle12: CCE-83189-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index b88b106a4cd..40ae63e4bf2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82569-5 - cce@rhel7: CCE-80393-2 cce@rhel8: CCE-80698-4 cce@rhel9: CCE-83748-4 cce@sle12: CCE-83215-4 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030580 stigid@ol8: OL08-00-030260 - stigid@rhel7: RHEL-07-030580 stigid@rhel8: RHEL-08-030260 stigid@sle12: SLES-12-020630 stigid@sle15: SLES-15-030450 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml index 4431537ded6..1357061d8d8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82570-3 - cce@rhel7: CCE-80394-0 cce@rhel8: CCE-80699-2 cce@rhel9: CCE-83749-2 cce@sle15: CCE-85817-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml index 5f9cad67946..ab878bddd4c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82571-1 - cce@rhel7: CCE-80391-6 cce@rhel8: CCE-80700-8 cce@rhel9: CCE-83750-0 cce@sle15: CCE-85819-1 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250 stigid@ol7: OL07-00-030560 stigid@ol8: OL08-00-030313 - stigid@rhel7: RHEL-07-030560 stigid@rhel8: RHEL-08-030313 {{{ ocil_fix_srg_privileged_command("semanage", "/usr/sbin/", "privileged-unix-update") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml index 24b33335244..10f6db4057e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82572-9 - cce@rhel7: CCE-80660-4 cce@rhel8: CCE-82280-9 cce@rhel9: CCE-83736-9 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250 stigid@ol7: OL07-00-030590 stigid@ol8: OL08-00-030314 - stigid@rhel7: RHEL-07-030590 stigid@rhel8: RHEL-08-030314 {{{ ocil_fix_srg_privileged_command("setfiles", "/usr/sbin/", "privileged-unix-update") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml index 3ecdebdb584..18f6735b70f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82573-7 - cce@rhel7: CCE-80392-4 cce@rhel8: CCE-80701-6 cce@rhel9: CCE-83751-8 cce@sle15: CCE-85818-3 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250 stigid@ol7: OL07-00-030570 stigid@ol8: OL08-00-030316 - stigid@rhel7: RHEL-07-030570 stigid@rhel8: RHEL-08-030316 {{{ ocil_fix_srg_privileged_command("setsebool", "/usr/sbin/", "privileged") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml index 1214ad408a1..41ba5525514 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml @@ -36,7 +36,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82574-5 - cce@rhel7: CCE-82362-5 cce@rhel8: CCE-80933-5 cce@rhel9: CCE-83746-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml index 1f974387004..d4df0fbe07f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27206-2 cce@rhel8: CCE-80702-4 cce@rhel9: CCE-83752-6 cce@sle12: CCE-91663-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml index 2a241af6da8..2250b87352c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml @@ -28,7 +28,6 @@ platforms: identifiers: cce@rhcos4: CCE-82575-2 - cce@rhel7: CCE-80995-4 cce@rhel8: CCE-80703-2 cce@rhel9: CCE-83754-2 cce@sle12: CCE-91606-4 @@ -54,7 +53,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030910 stigid@ol8: OL08-00-030361 - stigid@rhel7: RHEL-07-030910 stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010267 stigid@ubuntu2204: UBTU-22-654185 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml index ff84c8242c1..068a822536d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82576-0 - cce@rhel7: CCE-80413-8 cce@rhel8: CCE-80704-0 cce@rhel9: CCE-83756-7 cce@sle12: CCE-91607-2 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030910 stigid@ol8: OL08-00-030361 - stigid@rhel7: RHEL-07-030910 stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010267 stigid@ubuntu2204: UBTU-22-654185 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml index 3842c23b7b6..2b7fb3dfc05 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml @@ -28,7 +28,6 @@ platforms: identifiers: cce@rhcos4: CCE-82577-8 - cce@rhel7: CCE-80412-0 cce@rhel8: CCE-80705-7 cce@rhel9: CCE-83758-3 cce@sle12: CCE-91608-0 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030910 stigid@ol8: OL08-00-030361 - stigid@rhel7: RHEL-07-030910 stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010267 stigid@ubuntu2204: UBTU-22-654185 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml index c94560c087a..60d1bbafa76 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml @@ -28,7 +28,6 @@ platforms: identifiers: cce@rhcos4: CCE-82578-6 - cce@rhel7: CCE-80996-2 cce@rhel8: CCE-80706-5 cce@rhel9: CCE-83757-5 cce@sle12: CCE-91609-8 @@ -54,7 +53,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030910 stigid@ol8: OL08-00-030361 - stigid@rhel7: RHEL-07-030910 stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010267 stigid@ubuntu2204: UBTU-22-654185 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml index 99ff347bef6..55828eb40aa 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82579-4 - cce@rhel7: CCE-80662-0 cce@rhel8: CCE-80707-3 cce@rhel9: CCE-83755-9 cce@sle12: CCE-91610-6 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030910 stigid@ol8: OL08-00-030361 - stigid@rhel7: RHEL-07-030910 stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010267 stigid@ubuntu2204: UBTU-22-654185 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml index 1df4c708772..9bba40d25d7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-82097-7 cce@rhel8: CCE-82098-5 {{{ complete_ocil_entry_audit_successful_syscall(syscall="chmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml index ddcc8a482f1..7209b720e58 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-82130-6 cce@rhel8: CCE-82131-4 {{{ complete_ocil_entry_audit_successful_syscall(syscall="chown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_creat/rule.yml index cff19634a6b..184523c9f45 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_creat/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-81149-7 cce@rhel8: CCE-81150-5 {{{ complete_ocil_entry_audit_successful_syscall(syscall="creat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml index 4d6734b8333..dd9f56099fe 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82100-9 cce@rhel8: CCE-82101-7 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fchmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml index 77f8ce6203b..f311af78101 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82103-3 cce@rhel8: CCE-82104-1 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fchmodat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml index 6c44764abb3..f902a57ac7b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82127-2 cce@rhel8: CCE-82128-0 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml index 840261b44f7..1b721db1a6a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82133-0 cce@rhel8: CCE-82134-8 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fchownat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml index 64f64ced564..e51de4bb400 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82121-5 cce@rhel8: CCE-82122-3 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml index 58160bbcfd5..6c665ef586d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82112-4 cce@rhel8: CCE-82113-2 {{{ complete_ocil_entry_audit_successful_syscall(syscall="fsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_ftruncate/rule.yml index 4bd2b5e1890..f0afdc51abc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_ftruncate/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82004-3 cce@rhel8: CCE-82006-8 {{{ complete_ocil_entry_audit_successful_syscall(syscall="ftruncate") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml index 0e9a22616cb..74ed61a60b2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-82124-9 cce@rhel8: CCE-82125-6 {{{ complete_ocil_entry_audit_successful_syscall(syscall="lchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml index 0029c41e2d6..40b47f9b4a6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82118-1 cce@rhel8: CCE-82119-9 {{{ complete_ocil_entry_audit_successful_syscall(syscall="lremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml index e9c57cdb9a1..716f54af024 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82109-0 cce@rhel8: CCE-82110-8 {{{ complete_ocil_entry_audit_successful_syscall(syscall="lsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open/rule.yml index 57109dd4851..ccb3376dfc4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-81146-3 cce@rhel8: CCE-81147-1 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at/rule.yml index 1152702f43b..fce3e44a4e7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82012-6 cce@rhel8: CCE-82013-4 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open_by_handle_at") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_creat/rule.yml index ccb3d489ea1..cc7cc7e5a53 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_creat/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81131-5 cce@rhel8: CCE-81132-3 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open_by_handle_at") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write/rule.yml index 60bb11aa66d..9e208c5cf7b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write/rule.yml @@ -37,7 +37,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81140-6 cce@rhel8: CCE-81141-4 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open_by_handle_at") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_creat/rule.yml index d226f09e283..ea1a55cc5e7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_creat/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81134-9 cce@rhel8: CCE-81135-6 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_trunc_write/rule.yml index 98deb059472..1b8d4c897de 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_trunc_write/rule.yml @@ -37,7 +37,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81143-0 cce@rhel8: CCE-81144-8 {{{ complete_ocil_entry_audit_successful_syscall(syscall="open") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat/rule.yml index eb66a0dfaee..cc09f808924 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82009-2 cce@rhel8: CCE-82010-0 {{{ complete_ocil_entry_audit_successful_syscall(syscall="openat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_creat/rule.yml index cd95b407edc..caccaa3494c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_creat/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81127-3 cce@rhel8: CCE-81128-1 {{{ complete_ocil_entry_audit_successful_syscall(syscall="openat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_trunc_write/rule.yml index 1bd9cab65bc..c7bed664051 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_openat_o_trunc_write/rule.yml @@ -37,7 +37,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81137-2 cce@rhel8: CCE-81138-0 {{{ complete_ocil_entry_audit_successful_syscall(syscall="openat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml index 16005238a85..d203e6340e5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82115-7 cce@rhel8: CCE-82116-5 {{{ complete_ocil_entry_audit_successful_syscall(syscall="removexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml index 12b70d7b16c..13ccfdfd1af 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-82091-0 cce@rhel8: CCE-82092-8 {{{ complete_ocil_entry_audit_successful_syscall(syscall="rename") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml index 895af27bcdf..f2f0fedadfe 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82094-4 cce@rhel8: CCE-82095-1 {{{ complete_ocil_entry_audit_successful_syscall(syscall="renameat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml index 4c07321cd02..93dc3b45039 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82106-6 cce@rhel8: CCE-82107-4 {{{ complete_ocil_entry_audit_successful_syscall(syscall="setxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_truncate/rule.yml index f15e234a946..a5a80d5e0df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_truncate/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82001-9 cce@rhel8: CCE-82002-7 {{{ complete_ocil_entry_audit_successful_syscall(syscall="truncate") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml index 9e99a3af32f..0177f9824df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml @@ -33,7 +33,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-82085-2 cce@rhel8: CCE-82086-0 {{{ complete_ocil_entry_audit_successful_syscall(syscall="unlink") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml index a0862e8829a..855cedd033e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82088-6 cce@rhel8: CCE-82089-4 {{{ complete_ocil_entry_audit_successful_syscall(syscall="unlinkat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml index d7618a9bb31..f635dac95ca 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml @@ -35,7 +35,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-27347-4 cce@rhel8: CCE-80750-3 cce@rhel9: CCE-83793-0 cce@sle12: CCE-91652-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml index 66712b8b03d..c06a38afc94 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml @@ -31,7 +31,6 @@ platforms: identifiers: cce@rhcos4: CCE-82619-8 - cce@rhel7: CCE-81086-1 cce@rhel8: CCE-80975-6 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml index 1cbacd09ed5..855af4da679 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml @@ -31,7 +31,6 @@ platforms: identifiers: cce@rhcos4: CCE-82620-6 - cce@rhel7: CCE-81082-0 cce@rhel8: CCE-80984-8 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 41044b0508b..0853edd61eb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -36,7 +36,6 @@ platforms: identifiers: cce@rhcos4: CCE-82621-4 - cce@rhel7: CCE-80385-8 cce@rhel8: CCE-80751-1 cce@rhel9: CCE-83786-4 cce@sle12: CCE-83092-7 @@ -63,7 +62,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml index e6d2ed95f58..5477d71009e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82622-2 - cce@rhel7: CCE-81088-7 cce@rhel8: CCE-80977-2 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml index 338465e0a13..c45a5891071 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82624-8 - cce@rhel7: CCE-81090-3 cce@rhel8: CCE-80976-4 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml index 1f4f4290d27..d6a319aef53 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82625-5 - cce@rhel7: CCE-81080-4 cce@rhel8: CCE-80986-3 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml index 2d298707d3f..c01455e2d65 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82626-3 - cce@rhel7: CCE-81084-6 cce@rhel8: CCE-80985-5 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml index b27adf191f7..1c8eff199e7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82627-1 - cce@rhel7: CCE-81102-6 cce@rhel8: CCE-80978-0 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml index dbebd238cb4..1ab5133c329 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82628-9 - cce@rhel7: CCE-81096-0 cce@rhel8: CCE-80979-8 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 9980d1d0924..181b675dae8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -36,7 +36,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82629-7 - cce@rhel7: CCE-80390-8 cce@rhel8: CCE-80752-9 cce@rhel9: CCE-83800-3 cce@sle12: CCE-83091-9 @@ -63,7 +62,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml index 84a35abf176..86bf2b0c74e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml @@ -35,7 +35,6 @@ platforms: identifiers: cce@rhcos4: CCE-82630-5 - cce@rhel7: CCE-81078-8 cce@rhel8: CCE-80987-1 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml index 60993676297..2399de317ec 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82631-3 - cce@rhel7: CCE-81100-0 cce@rhel8: CCE-80980-6 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml index 1084bc80bea..56c0c5f719f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82632-1 - cce@rhel7: CCE-81094-5 cce@rhel8: CCE-80981-4 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 276fb267dfd..b43aa46b3e4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -39,7 +39,6 @@ platforms: identifiers: cce@rhcos4: CCE-82633-9 - cce@rhel7: CCE-80386-6 cce@rhel8: CCE-80753-7 cce@rhel9: CCE-83801-1 cce@sle12: CCE-83131-3 @@ -66,7 +65,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index dc0b048dbf3..1771f1a0918 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -33,7 +33,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82640-4 - cce@rhel7: CCE-80388-2 cce@rhel8: CCE-80755-2 cce@rhel9: CCE-83796-3 cce@sle12: CCE-83094-3 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml index 1a2d3205347..45a77c8459d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml @@ -39,7 +39,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82641-2 - cce@rhel7: CCE-81117-4 cce@rhel8: CCE-80965-7 cce@rhel9: CCE-86899-2 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml index 99a732ea325..2eb53db961d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml @@ -38,7 +38,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82642-0 - cce@rhel7: CCE-81125-7 cce@rhel8: CCE-80966-5 cce@rhel9: CCE-90286-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml index 34e244aa6a7..3a934bd85a2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml @@ -42,7 +42,6 @@ platforms: identifiers: cce@rhcos4: CCE-82644-6 - cce@rhel7: CCE-81119-0 cce@rhel8: CCE-80968-1 cce@rhel9: CCE-86173-2 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml index 70526b5ec7b..5ffc3f95f22 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml @@ -37,7 +37,6 @@ platforms: identifiers: cce@rhcos4: CCE-82645-3 - cce@rhel7: CCE-81121-6 cce@rhel8: CCE-80969-9 cce@rhel9: CCE-90569-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index a7979932d10..8bf33fc431b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -36,7 +36,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82634-7 - cce@rhel7: CCE-80387-4 cce@rhel8: CCE-80754-5 cce@rhel9: CCE-83794-8 cce@sle12: CCE-83093-5 @@ -63,7 +62,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml index 7294224a7e4..4f1a54c740b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml @@ -39,7 +39,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82635-4 - cce@rhel7: CCE-81115-8 cce@rhel8: CCE-80962-4 cce@rhel9: CCE-86238-3 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml index 5ff310a2526..bba2660f986 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml @@ -38,7 +38,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82636-2 - cce@rhel7: CCE-81123-2 cce@rhel8: CCE-80963-2 cce@rhel9: CCE-89488-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml index e69e26596d1..4f43f2ceec5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82647-9 - cce@rhel7: CCE-81098-6 cce@rhel8: CCE-80982-2 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index 4e9159267bd..d4ca4aece0b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -30,7 +30,6 @@ platforms: identifiers: cce@rhcos4: CCE-82648-7 - cce@rhel7: CCE-81108-3 cce@rhel8: CCE-80973-1 cce@rhel9: CCE-88011-2 cce@sle12: CCE-83251-9 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index 32eb5378a05..fe70b7f5e3e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -38,7 +38,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82649-5 - cce@rhel7: CCE-82082-9 cce@rhel8: CCE-80974-9 cce@rhel9: CCE-87670-6 cce@sle12: CCE-83252-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml index d41c4dfab6b..4050f7fd47e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82650-3 - cce@rhel7: CCE-81092-9 cce@rhel8: CCE-80983-0 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 8b3e93922be..73b9613126d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -36,7 +36,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82651-1 - cce@rhel7: CCE-80389-0 cce@rhel8: CCE-80756-0 cce@rhel9: CCE-83792-2 cce@sle12: CCE-83085-1 @@ -62,7 +61,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 - stigid@rhel7: RHEL-07-030510 stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index a26d8ac12ff..796697a3897 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -44,7 +44,6 @@ platforms: identifiers: cce@rhcos4: CCE-82652-9 - cce@rhel7: CCE-81106-7 cce@rhel8: CCE-80971-5 cce@rhel9: CCE-85917-3 cce@sle12: CCE-83254-3 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 4c574a3bd5f..dbb49b0c739 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -41,7 +41,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82653-7 - cce@rhel7: CCE-81104-2 cce@rhel8: CCE-80972-3 cce@rhel9: CCE-90754-3 cce@sle12: CCE-83253-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml index 51889feec23..7e57f9be301 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27129-6 cce@rhel8: CCE-80709-9 cce@rhel9: CCE-83804-5 cce@sle12: CCE-91653-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml index 14a6c5df608..926a1308820 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml @@ -26,7 +26,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-86115-3 cce@rhel8: CCE-88435-3 cce@rhel9: CCE-88436-1 @@ -34,7 +33,6 @@ references: disa: CCI-000172 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@ol7: OL07-00-030819 - stigid@rhel7: RHEL-07-030819 {{{ complete_ocil_entry_audit_syscall(syscall="create_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index b0455540c55..a4c7ee94d37 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82580-2 - cce@rhel7: CCE-80415-3 cce@rhel8: CCE-80711-5 cce@rhel9: CCE-83802-9 cce@sle12: CCE-83128-9 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 stigid@ol7: OL07-00-030830 stigid@ol8: OL08-00-030390 - stigid@rhel7: RHEL-07-030830 stigid@rhel8: RHEL-08-030390 stigid@sle12: SLES-12-020730 stigid@sle15: SLES-15-030520 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index f157e6a87b1..704221e47c8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -31,7 +31,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82581-0 - cce@rhel7: CCE-80547-3 cce@rhel8: CCE-80712-3 cce@rhel9: CCE-83803-7 cce@sle12: CCE-83129-7 @@ -54,7 +53,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 - stigid@rhel7: RHEL-07-030820 stigid@rhel8: RHEL-08-030360 stigid@sle12: SLES-12-020740 stigid@sle15: SLES-15-030530 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index bfa6221798f..203be8674da 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82582-8 - cce@rhel7: CCE-80414-6 cce@rhel8: CCE-80713-1 cce@rhel9: CCE-90835-0 cce@sle12: CCE-83130-5 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 - stigid@rhel7: RHEL-07-030820 stigid@rhel8: RHEL-08-030360 stigid@sle12: SLES-12-020740 stigid@sle15: SLES-15-030530 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml index db997f9b5b6..3d6d25e1455 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml @@ -26,7 +26,6 @@ platforms: - not aarch64_arch identifiers: - cce@rhel7: CCE-88102-9 cce@rhel8: CCE-88748-9 cce@rhel9: CCE-88749-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml index a4aa54c2424..b8237be129d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27204-7 cce@rhel8: CCE-80717-2 cce@rhel9: CCE-83784-9 cce@sle15: CCE-91248-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml index c59e43c1e47..c5c63287b04 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82583-6 - cce@rhel7: CCE-80383-3 cce@rhel8: CCE-80718-0 cce@rhel9: CCE-83783-1 cce@sle12: CCE-92255-9 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275,SRG-APP-000506-CTR-001290 stigid@ol7: OL07-00-030610 stigid@ol8: OL08-00-030590 - stigid@rhel7: RHEL-07-030610 stigid@rhel8: RHEL-08-030590 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index dcf4b562411..7271be3b42e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82584-4 - cce@rhel7: CCE-80384-1 cce@rhel8: CCE-80719-8 cce@rhel9: CCE-83785-6 cce@sle12: CCE-83108-1 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214,SRG-APP-000495-CTR-001235,SRG-APP-000503-CTR-001275,SRG-APP-000506-CTR-001290 stigid@ol7: OL07-00-030620 stigid@ol8: OL08-00-030600 - stigid@rhel7: RHEL-07-030620 stigid@rhel8: RHEL-08-030600 stigid@sle12: SLES-12-020660 stigid@sle15: SLES-15-030480 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index 27b07ecd5cf..98d48938c1a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82585-1 - cce@rhel7: CCE-80994-7 cce@rhel8: CCE-80720-6 cce@rhel9: CCE-83782-3 cce@sle12: CCE-83107-3 @@ -48,7 +47,6 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275 - stigid@rhel7: RHEL-07-030600 stigid@sle12: SLES-12-020650 stigid@sle15: SLES-15-030470 stigid@ubuntu2004: UBTU-20-010169 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml index ae9ccd04ddd..a285201d598 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml @@ -41,7 +41,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82589-3 - cce@rhel7: CCE-27437-3 cce@rhel8: CCE-80724-8 cce@rhel9: CCE-83759-1 cce@sle12: CCE-91611-4 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml index d5ec1927159..6a9e9920d49 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82590-1 - cce@rhel7: CCE-81060-6 cce@rhel8: CCE-80988-9 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index d891fc1fcfe..4dd2eefeedb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82591-9 - cce@rhel7: CCE-80398-1 cce@rhel8: CCE-80725-5 cce@rhel9: CCE-83765-8 cce@sle12: CCE-83110-7 @@ -58,7 +57,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@ol7: OL07-00-030660 stigid@ol8: OL08-00-030250 - stigid@rhel7: RHEL-07-030660 stigid@rhel8: RHEL-08-030250 stigid@sle12: SLES-12-020690 stigid@sle15: SLES-15-030120 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index ea03eab50f7..fe29d963b6e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82592-7 - cce@rhel7: CCE-80404-7 cce@rhel8: CCE-80726-3 cce@rhel9: CCE-83763-3 cce@sle12: CCE-83163-6 @@ -58,7 +57,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030720 stigid@ol8: OL08-00-030410 - stigid@rhel7: RHEL-07-030720 stigid@rhel8: RHEL-08-030410 stigid@sle12: SLES-12-020580 stigid@sle15: SLES-15-030100 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index bb54d9f50c9..a36eac73a61 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82593-5 - cce@rhel7: CCE-80410-4 cce@rhel8: CCE-80727-1 cce@rhel9: CCE-83761-7 cce@sle12: CCE-83126-3 @@ -57,7 +56,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030800 stigid@ol8: OL08-00-030400 - stigid@rhel7: RHEL-07-030800 stigid@rhel8: RHEL-08-030400 stigid@sle12: SLES-12-020710 stigid@sle15: SLES-15-030130 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml index b54fefd3474..f911a1d55a7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml index de8adac1e16..561a4974dc3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -34,7 +34,7 @@ rationale: |- severity: medium identifiers: - cce@rhcos4: CCE-86210-2 + cce@rhcos4: CCE-86210-2 references: srg: SRG-APP-000029-CTR-000085 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml index 3b94d7faa5f..b500a24a9c3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 8180bd48a12..eed88acf1db 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82594-3 - cce@rhel7: CCE-80397-3 cce@rhel8: CCE-80728-9 cce@rhel9: CCE-83773-2 cce@sle12: CCE-83161-0 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030650 stigid@ol8: OL08-00-030370 - stigid@rhel7: RHEL-07-030650 stigid@rhel8: RHEL-08-030370 stigid@sle12: SLES-12-020560 stigid@sle15: SLES-15-030080 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml index cf58bda2391..88a7665285e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index b2314df14c3..f1da2c3427b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85851-4 cce@rhel8: CCE-85919-9 cce@sle12: CCE-92258-3 cce@sle15: CCE-85744-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 0d5422c373d..463b717e5fd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["ol7", "rhel7", "rhel8", "rhel9"] %}} +{{%- if product in ["ol7"] or 'rhel' in product %}} {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=privileged" %}} {{%- else %}} {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}} @@ -33,7 +33,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86110-4 cce@rhel8: CCE-89455-0 cce@rhel9: CCE-90262-7 cce@sle12: CCE-83207-1 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 stigid@ol7: OL07-00-030840 stigid@ol8: OL08-00-030580 - stigid@rhel7: RHEL-07-030840 stigid@rhel8: RHEL-08-030580 stigid@sle12: SLES-12-020360 stigid@sle15: SLES-15-030410 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index e8bac1dce04..62e7e7d8317 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85853-0 cce@rhel8: CCE-85973-6 cce@sle12: CCE-92257-5 cce@sle15: CCE-85731-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index e773b8a2ea6..1471a523691 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82595-0 - cce@rhel7: CCE-81064-8 cce@rhel8: CCE-80989-7 cce@rhel9: CCE-89564-9 cce@sle12: CCE-83145-3 @@ -49,7 +48,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030740 stigid@ol8: OL08-00-030300 - stigid@rhel7: RHEL-07-030740 stigid@rhel8: RHEL-08-030300 stigid@sle12: SLES-12-020290 stigid@ubuntu2004: UBTU-20-010138 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml index 54e0d6227bd..aaf7d582d8b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml index a2014eb7006..8ac653d9e12 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82596-8 - cce@rhel7: CCE-82200-7 cce@rhel8: CCE-80991-3 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 7da59f72330..736a5abf2d5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82597-6 - cce@rhel7: CCE-80403-9 cce@rhel8: CCE-80729-7 cce@rhel9: CCE-83766-6 cce@sle12: CCE-83162-8 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030710 stigid@ol8: OL08-00-030350 - stigid@rhel7: RHEL-07-030710 stigid@rhel8: RHEL-08-030350 stigid@sle12: SLES-12-020570 stigid@sle15: SLES-15-030090 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml index 32f9f451e9f..bc4e5dd5e61 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82598-4 - cce@rhel7: CCE-81070-5 cce@rhel8: CCE-80992-1 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index b7e78777261..65988cf6832 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -43,7 +43,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82599-2 - cce@rhel7: CCE-80411-2 cce@rhel8: CCE-80730-5 cce@rhel9: CCE-83767-4 cce@sle12: CCE-83127-1 @@ -63,7 +62,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030810 stigid@ol8: OL08-00-030340 - stigid@rhel7: RHEL-07-030810 stigid@rhel8: RHEL-08-030340 stigid@sle12: SLES-12-020720 stigid@sle15: SLES-15-030510 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 1bbfd35d8e7..d0b50333b36 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82600-8 - cce@rhel7: CCE-80395-7 cce@rhel8: CCE-80731-3 cce@rhel9: CCE-83781-5 cce@sle12: CCE-83160-2 @@ -57,7 +56,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030630 stigid@ol8: OL08-00-030290 - stigid@rhel7: RHEL-07-030630 stigid@rhel8: RHEL-08-030290 stigid@sle12: SLES-12-020550 stigid@sle15: SLES-15-030070 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml index 53dc919578c..05eb36331fc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml index bc443d98c4b..69d2893869c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml index c3cfc617b08..0494e1990d7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82601-6 - cce@rhel7: CCE-80406-2 cce@rhel8: CCE-80732-1 cce@rhel9: CCE-83769-0 cce@sle15: CCE-85820-9 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030760 stigid@ol8: OL08-00-030311 - stigid@rhel7: RHEL-07-030760 stigid@rhel8: RHEL-08-030311 {{{ ocil_fix_srg_privileged_command("postdrop") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml index 33490fcf5a7..1107724bbc6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82602-4 - cce@rhel7: CCE-80407-0 cce@rhel8: CCE-80733-9 cce@rhel9: CCE-83770-8 cce@sle15: CCE-85821-7 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030770 stigid@ol8: OL08-00-030312 - stigid@rhel7: RHEL-07-030770 stigid@rhel8: RHEL-08-030312 {{{ ocil_fix_srg_privileged_command("postqueue") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml index a33830c58e7..b2dc3e17a55 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82603-2 - cce@rhel7: CCE-80409-6 cce@rhel8: CCE-80734-7 cce@rhel9: CCE-88512-9 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index 19332542014..a157570e37c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85852-2 cce@rhel8: CCE-86017-1 cce@sle12: CCE-92256-7 cce@sle15: CCE-85732-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 9352b1582ed..3b43f723571 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -43,7 +43,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82604-0 - cce@rhel7: CCE-80408-8 cce@rhel8: CCE-80735-4 cce@rhel9: CCE-83776-5 cce@sle12: CCE-83159-4 @@ -66,7 +65,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030780 stigid@ol8: OL08-00-030320 - stigid@rhel7: RHEL-07-030780 stigid@rhel8: RHEL-08-030320 stigid@sle12: SLES-12-020320 stigid@sle15: SLES-15-030060 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml index 83273d6331d..f605a88d05f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml index 0e7b0caf1b3..1abe261732e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml index 88d9a1d49c5..39e36b02fa4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml index 880059066a5..1450e43e843 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index de9472122c3..e1ce3166369 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82605-7 - cce@rhel7: CCE-80400-5 cce@rhel8: CCE-80736-2 cce@rhel9: CCE-83771-6 cce@sle12: CCE-83143-8 @@ -58,7 +57,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030680 stigid@ol8: OL08-00-030190 - stigid@rhel7: RHEL-07-030680 stigid@rhel8: RHEL-08-030190 stigid@sle12: SLES-12-020250 stigid@sle15: SLES-15-030550 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 386996adf55..dd294fa80df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82606-5 - cce@rhel7: CCE-80401-3 cce@rhel8: CCE-80737-0 cce@rhel9: CCE-83780-7 cce@sle12: CCE-83144-6 @@ -58,7 +57,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol7: OL07-00-030690 stigid@ol8: OL08-00-030550 - stigid@rhel7: RHEL-07-030690 stigid@rhel8: RHEL-08-030550 stigid@sle12: SLES-12-020260 stigid@sle15: SLES-15-030560 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_4294967295_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_4294967295_configured.pass.sh index af39a88306d..88e44a9bcbc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_4294967295_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_4294967295_configured.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=4294967295 -k privileged" >> /etc/audit/audit.rules sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_unset_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_unset_configured.pass.sh index bbf6d2f58a3..c72bd586ba4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_unset_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_auditctl_unset_configured.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/audit.rules sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_4294967295_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_4294967295_configured.pass.sh index a96beed5e6d..d3ca474844f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_4294967295_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_4294967295_configured.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_duplicated.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_duplicated.fail.sh index 7c7d5b43c80..a821acdc941 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_duplicated.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_duplicated.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Red Hat Enterprise Linux 7,Fedora +# platform = Fedora echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_remove_all_rules.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_remove_all_rules.fail.sh index da3844faf19..a2dc849021b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_remove_all_rules.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_remove_all_rules.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 rm -f /etc/audit/rules.d/* > /etc/audit/audit.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_substring_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_substring_rule.fail.sh index 2e47f4ae651..180fb147ce6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_substring_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_substring_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/su -F auid>={{{ uid_min }}} -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_superstring_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_superstring_rule.fail.sh index 530c4f881d5..ff1c1762452 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_superstring_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_superstring_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudoedit -F auid>={{{ uid_min }}} -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_unset_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_unset_configured.pass.sh index 2962e5c11f0..87430834b6e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_unset_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_augenrules_unset_configured.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_rules_with_own_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_rules_with_own_key.pass.sh index 461a8715bc6..2bcd329a4c2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_rules_with_own_key.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/tests/rhel7_rules_with_own_key.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit # remediation = bash -# platform = Fedora,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Fedora,Oracle Linux 7 echo "-a always,exit -F path=/usr/bin/sudo -F auid>={{{ uid_min }}} -F auid!=4294967295 -k own_key" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml index 2887b4eb697..dc668a3dc12 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82607-3 - cce@rhel7: CCE-80402-1 cce@rhel8: CCE-80738-8 cce@rhel9: CCE-83764-1 cce@sle15: CCE-85717-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index 9ff29558755..d6a994a6a9b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82608-1 - cce@rhel7: CCE-80405-4 cce@rhel8: CCE-80739-6 cce@rhel9: CCE-83762-5 cce@sle12: CCE-83158-6 @@ -57,7 +56,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030750 stigid@ol8: OL08-00-030301 - stigid@rhel7: RHEL-07-030750 stigid@rhel8: RHEL-08-030301 stigid@sle12: SLES-12-020300 stigid@ubuntu2004: UBTU-20-010139 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index 7a160905bf3..dbd9f51690e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82609-9 - cce@rhel7: CCE-80396-5 cce@rhel8: CCE-80740-4 cce@rhel9: CCE-83768-2 cce@sle12: CCE-83109-9 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030640 stigid@ol8: OL08-00-030317 - stigid@rhel7: RHEL-07-030640 stigid@rhel8: RHEL-08-030317 stigid@sle12: SLES-12-020680 stigid@sle15: SLES-15-030110 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml index bda6d3239ff..2e4e1ca5307 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82610-7 - cce@rhel7: CCE-80399-9 cce@rhel8: CCE-80741-2 cce@rhel9: CCE-83760-9 cce@sle15: CCE-85773-0 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030670 stigid@ol8: OL08-00-030315 - stigid@rhel7: RHEL-07-030670 stigid@rhel8: RHEL-08-030315 {{{ ocil_fix_srg_privileged_command("userhelper") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index 03b7b157349..fac749936b8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87991-6 cce@rhel8: CCE-86027-0 cce@rhel9: CCE-87212-7 cce@sle12: CCE-83191-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml index fe6140d32e2..87df8b95b14 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml @@ -35,7 +35,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82611-5 - cce@rhel7: CCE-82074-6 cce@rhel8: CCE-80990-5 references: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml index c14eefeeed8..bf42d77e98f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml index c8c5434f0bd..264d2b88eb3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml index 242a3f69ed5..c78f43641cc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml @@ -26,7 +26,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82668-5 - cce@rhel7: CCE-27097-5 cce@rhel8: CCE-80708-1 cce@rhel9: CCE-83716-1 cce@sle12: CCE-91554-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml index f0f2927b785..d4f0a0f3b46 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml @@ -22,7 +22,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82586-9 - cce@rhel7: CCE-27168-4 cce@rhel8: CCE-80721-4 cce@rhel9: CCE-83721-1 cce@sle12: CCE-91601-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml index 0d3bbacbd93..19a5e82c6de 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86341-5 cce@rhel8: CCE-86342-3 cce@rhel9: CCE-86343-1 cce@sle12: CCE-92400-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index 765a8d29e02..36fc4475170 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -26,7 +26,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82587-7 - cce@rhel7: CCE-27447-2 cce@rhel8: CCE-80722-2 cce@rhel9: CCE-83735-1 cce@sle12: CCE-83217-0 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol7: OL07-00-030740 stigid@ol8: OL08-00-030302 - stigid@rhel7: RHEL-07-030740 stigid@rhel8: RHEL-08-030302 stigid@sle12: SLES-12-020290 stigid@sle15: SLES-15-030350 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml index 63fbf9d7ffd..878903dceb5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml @@ -42,7 +42,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82588-5 - cce@rhel7: CCE-27076-9 cce@rhel8: CCE-80723-0 cce@rhel9: CCE-83706-2 cce@sle12: CCE-91602-3 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml index 6e709ec04d3..07775f8363c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86938-8 cce@rhel8: CCE-86939-6 cce@rhel9: CCE-86940-4 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml index b8653738381..a40bc5bbb4c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82612-3 - cce@rhel7: CCE-27301-1 cce@rhel8: CCE-80742-0 cce@rhel9: CCE-83713-8 cce@sle12: CCE-91603-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml index 4f7e66e6250..e6f48f42660 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86219-3 cce@rhel8: CCE-90209-8 cce@rhel9: CCE-86368-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml index bd8020eb4dc..7e8cdbae203 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml @@ -41,7 +41,6 @@ severity: medium identifiers: cce@rhcos4: CCE-87439-6 - cce@rhel7: CCE-83555-3 cce@rhel8: CCE-83556-1 cce@rhel9: CCE-86402-5 cce@sle12: CCE-83200-6 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000326-GPOS-00126,SRG-OS-000327-GPOS-00127,SRG-APP-000343-CTR-000780,SRG-APP-000381-CTR-000905 stigid@ol7: OL07-00-030360 stigid@ol8: OL08-00-030000 - stigid@rhel7: RHEL-07-030360 stigid@rhel8: RHEL-08-030000 stigid@sle12: SLES-12-020240 stigid@sle15: SLES-15-030640 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index 33a6bc9c580..9444f1ad1df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82613-1 - cce@rhel7: CCE-27461-3 cce@rhel8: CCE-80743-8 cce@rhel9: CCE-83729-4 cce@sle12: CCE-91604-9 @@ -51,7 +50,6 @@ references: pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000026-CTR-000070,SRG-APP-000027-CTR-000075,SRG-APP-000028-CTR-000080,SRG-APP-000291-CTR-000675,SRG-APP-000292-CTR-000680,SRG-APP-000293-CTR-000685,SRG-APP-000294-CTR-000690,SRG-APP-000319-CTR-000745,SRG-APP-000320-CTR-000750,SRG-APP-000509-CTR-001305 stigid@ol7: OL07-00-030700 - stigid@rhel7: RHEL-07-030700 stigid@sle15: SLES-15-030140 ocil_clause: 'there is not output' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml index 3f2a116775f..c5d3e10acab 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80997-0 cce@rhel8: CCE-80744-6 cce@rhel9: CCE-83709-6 cce@sle15: CCE-85774-8 @@ -45,7 +44,6 @@ references: nist-csf: PR.PT-1 srg: SRG-OS-000046-GPOS-00022,SRG-OS-000047-GPOS-00023 stigid@ol7: OL07-00-030010 - stigid@rhel7: RHEL-07-030010 ocil_clause: 'the system is not configured to shutdown on auditd failures' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml index 400585aa270..c331e85fe98 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml @@ -32,7 +32,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27192-4 cce@rhel8: CCE-80757-8 cce@rhel9: CCE-83715-3 cce@sle12: CCE-91651-0 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index ad7f8a70b3a..58704c03bce 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82654-5 - cce@rhel7: CCE-80433-6 cce@rhel8: CCE-80758-6 cce@rhel9: CCE-83722-9 cce@sle12: CCE-83121-4 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000503-CTR-001275 stigid@ol7: OL07-00-030871 stigid@ol8: OL08-00-030170 - stigid@rhel7: RHEL-07-030871 stigid@rhel8: RHEL-08-030170 stigid@sle12: SLES-12-020210 stigid@sle15: SLES-15-030010 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 57888e9c299..c5a9c2bcb7b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82655-2 - cce@rhel7: CCE-80432-8 cce@rhel8: CCE-80759-4 cce@rhel9: CCE-83723-7 cce@sle12: CCE-83095-0 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000503-CTR-001275 stigid@ol7: OL07-00-030872 stigid@ol8: OL08-00-030160 - stigid@rhel7: RHEL-07-030872 stigid@rhel8: RHEL-08-030160 stigid@sle12: SLES-12-020590 stigid@sle15: SLES-15-030040 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index e0fab79c5a6..1fc2cf3c0c2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82656-0 - cce@rhel7: CCE-80430-2 cce@rhel8: CCE-80760-2 cce@rhel9: CCE-83712-0 cce@sle12: CCE-83123-0 @@ -57,7 +56,6 @@ references: srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000495-CTR-001235,SRG-APP-000496-CTR-001240,SRG-APP-000497-CTR-001245,SRG-APP-000498-CTR-001250,SRG-APP-000503-CTR-001275 stigid@ol7: OL07-00-030874 stigid@ol8: OL08-00-030140 - stigid@rhel7: RHEL-07-030874 stigid@rhel8: RHEL-08-030140 stigid@sle12: SLES-12-020230 stigid@sle15: SLES-15-030030 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 6d718064cd8..2bfc6a83e2b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82657-8 - cce@rhel7: CCE-80435-1 cce@rhel8: CCE-80761-0 cce@rhel9: CCE-83714-6 cce@sle12: CCE-83120-6 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000503-CTR-001275 stigid@ol7: OL07-00-030870 stigid@ol8: OL08-00-030150 - stigid@rhel7: RHEL-07-030870 stigid@rhel8: RHEL-08-030150 stigid@sle12: SLES-12-020200 stigid@sle15: SLES-15-030000 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index ac4521ab6b1..90b2fe2b9a0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82658-6 - cce@rhel7: CCE-80431-0 cce@rhel8: CCE-80762-8 cce@rhel9: CCE-83725-2 cce@sle12: CCE-83122-2 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000503-CTR-001275 stigid@ol7: OL07-00-030873 stigid@ol8: OL08-00-030130 - stigid@rhel7: RHEL-07-030873 stigid@rhel8: RHEL-08-030130 stigid@sle12: SLES-12-020220 stigid@sle15: SLES-15-030020 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml index 5e1037ecff5..9abc214b0af 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml @@ -37,7 +37,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86245-8 cce@rhel8: CCE-86432-2 cce@rhel9: CCE-86433-0 cce@sle12: CCE-92355-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml index 5fcd1182c53..a5adb514bea 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml @@ -32,7 +32,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82614-9 - cce@rhel7: CCE-27290-6 cce@rhel8: CCE-80745-3 cce@rhel9: CCE-83840-9 cce@sle12: CCE-91612-2 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml index 6ccba7a3e8b..3404a4fe158 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml @@ -32,7 +32,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82615-6 - cce@rhel7: CCE-27219-5 cce@rhel8: CCE-80746-1 cce@rhel9: CCE-83837-5 cce@sle12: CCE-91613-0 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml index c7a4f2d2b0a..4e36cff9185 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml @@ -32,7 +32,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82616-4 - cce@rhel7: CCE-27216-1 cce@rhel8: CCE-80747-9 cce@rhel9: CCE-83836-7 cce@sle12: CCE-91614-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml index 8182a10698e..3098608819d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml @@ -39,7 +39,6 @@ platforms: identifiers: cce@rhcos4: CCE-82617-2 - cce@rhel7: CCE-27299-7 cce@rhel8: CCE-80748-7 cce@rhel9: CCE-83835-9 cce@sle12: CCE-91615-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml index 9cc6e4fbc35..fe1e6df4059 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml @@ -26,7 +26,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82618-0 - cce@rhel7: CCE-27310-2 cce@rhel8: CCE-80749-5 cce@rhel9: CCE-83839-1 cce@sle12: CCE-91616-3 diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml index ffcfbc5d9d4..9a1e348b169 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82712-1 - cce@rhel7: CCE-82071-2 cce@rhel8: CCE-80941-8 cce@rhel9: CCE-86574-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml index 7f61d3dd68c..fa8e6bcb067 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82692-5 - cce@rhel7: CCE-88645-7 cce@rhel8: CCE-84048-8 cce@rhel9: CCE-83734-4 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml index a215acfcd27..0f4ea678a51 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88757-0 cce@rhel8: CCE-88227-4 cce@rhel9: CCE-89603-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml index 0303cc1beca..4a38332bd84 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88896-6 cce@rhel8: CCE-86405-8 cce@rhel9: CCE-86446-2 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml index 800eb574e65..82a6b8a7219 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88786-9 cce@rhel8: CCE-86406-6 cce@rhel9: CCE-86445-4 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml index b8d1c508b94..f08f6ab6151 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml @@ -15,7 +15,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82691-7 - cce@rhel7: CCE-80125-8 cce@rhel8: CCE-80808-9 cce@rhel9: CCE-83726-0 cce@sle12: CCE-91605-6 @@ -36,7 +35,6 @@ references: pcidss: Req-10.5.1 srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-APP-000118-CTR-000240 stigid@ol7: OL07-00-910055 - stigid@rhel7: RHEL-07-910055 ocil: |- {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml index 6f09447bf05..27dac91839d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88700-0 cce@rhel8: CCE-88228-2 cce@rhel9: CCE-89952-6 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_audit_configuration/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_audit_configuration/rule.yml index 5ddbc0f98d1..0575954da48 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_audit_configuration/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_audit_configuration/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88763-8 cce@rhel8: CCE-86407-4 cce@rhel9: CCE-88002-1 diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml index b6097cbf025..69a8c1fca42 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml @@ -27,7 +27,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82690-9 - cce@rhel7: CCE-27205-4 cce@rhel8: CCE-80819-6 cce@rhel9: CCE-83720-3 cce@sle12: CCE-92450-6 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084,SRG-APP-000118-CTR-000240 stigid@ol7: OL07-00-910055 stigid@ol8: OL08-00-030070 - stigid@rhel7: RHEL-07-910055 stigid@rhel8: RHEL-08-030070 stigid@ubuntu2004: UBTU-20-010122 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml index ec954eca681..960110b50ec 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80541-6 cce@rhel8: CCE-80925-1 cce@rhel9: CCE-89900-5 cce@sle12: CCE-83155-2 @@ -35,7 +34,6 @@ references: ospp: FAU_GEN.1.1.c srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030300 - stigid@rhel7: RHEL-07-030300 stigid@sle12: SLES-12-020090 stigid@sle15: SLES-15-030690 stigid@ubuntu2004: UBTU-20-010216 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_hostname.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_hostname.pass.sh index 01ee18fc474..5e248265a6e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_hostname.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_hostname.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_not_there.fail.sh index 99f6cfe7f1c..fdd9619d9f9 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/tests/audisp_remote_server_not_there.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index 1225b1132f6..73bd3511b35 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80539-0 cce@rhel9: CCE-88477-5 cce@sle12: CCE-83116-4 cce@sle15: CCE-85617-9 @@ -31,7 +30,6 @@ references: nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030320 - stigid@rhel7: RHEL-07-030320 stigid@sle12: SLES-12-020110 stigid@sle15: SLES-15-030800 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml index d235eed4723..df2ba720b07 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_sle # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index ad68d3a7767..cde75edcf05 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80540-8 cce@rhel8: CCE-80926-9 cce@rhel9: CCE-86621-0 cce@sle12: CCE-83063-8 @@ -35,7 +34,6 @@ references: ospp: FAU_GEN.1.1.c srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030310 - stigid@rhel7: RHEL-07-030310 stigid@sle12: SLES-12-020080 stigid@sle15: SLES-15-030680 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records.pass.sh index ed26b4696ca..87786eb85cd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_activated.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_activated.fail.sh index 6f62d374418..8169d1d0b39 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_activated.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_activated.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_there.fail.sh index 206ab64084e..b1d37662db5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/encrypt_sent_records_not_there.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index e562c00f770..dda6f34d0cc 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80538-2 cce@rhel9: CCE-90187-6 cce@sle12: CCE-83115-6 cce@sle15: CCE-85705-2 @@ -33,7 +32,6 @@ references: nist@sle15: AU-4(1) srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030321 - stigid@rhel7: RHEL-07-030321 stigid@sle12: SLES-12-020100 stigid@sle15: SLES-15-030790 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_activated/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_activated/rule.yml index a78c9d48662..50ccde6a65d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_activated/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_activated/rule.yml @@ -19,14 +19,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86159-1 - references: disa: CCI-001851 srg: SRG-OS-000479-GPOS-00224,SRG-OS-000342-GPOS-00133 stigid@ol7: OL07-00-030201 - stigid@rhel7: RHEL-07-030201 ocil_clause: 'it is not activated' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_direction/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_direction/rule.yml index 8bec29d6fb5..f3152e877f0 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_direction/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_direction/rule.yml @@ -22,14 +22,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-87159-0 - references: disa: CCI-001851 srg: SRG-OS-000479-GPOS-00224,SRG-OS-000342-GPOS-00133 stigid@ol7: OL07-00-030201 - stigid@rhel7: RHEL-07-030201 ocil_clause: 'it is not configured' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_path/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_path/rule.yml index d9a185d94b1..7567fe30ee5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_path/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_path/rule.yml @@ -19,14 +19,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-89159-8 - references: disa: CCI-001851 srg: SRG-OS-000479-GPOS-00224,SRG-OS-000342-GPOS-00133 stigid@ol7: OL07-00-030201 - stigid@rhel7: RHEL-07-030201 ocil_clause: 'it is not configured' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_type/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_type/rule.yml index 8342b4d4bbf..6caeb3032a8 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_type/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_type/rule.yml @@ -19,14 +19,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-90159-5 - references: disa: CCI-001851 srg: SRG-OS-000479-GPOS-00224,SRG-OS-000342-GPOS-00133 stigid@ol7: OL07-00-030201 - stigid@rhel7: RHEL-07-030201 ocil_clause: 'it is not configured' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml index df32a0d96b3..0a4b0cc54b3 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27341-7 cce@rhel8: CCE-80677-8 cce@rhel9: CCE-83695-7 cce@sle12: CCE-91617-1 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated.pass.sh index bab23537461..6695c4a3dd6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated_not_there.fail.sh index 4b302323864..fde7286513c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_activated_not_there.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_not_activated.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_not_activated.fail.sh index dd4f139c261..0f623e60dcb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_not_activated.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audisp_syslog_plugin_not_activated.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml index 0b3dd71953c..bbd361b31e1 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml @@ -23,7 +23,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82679-2 - cce@rhel7: CCE-80646-3 cce@rhel8: CCE-84046-2 cce@rhel9: CCE-83690-8 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index 9d244f44fb2..4cfc29d4707 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -26,7 +26,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82676-8 - cce@rhel7: CCE-86102-1 cce@rhel8: CCE-84045-4 cce@rhel9: CCE-83684-1 cce@sle12: CCE-83032-3 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml index 02929698b59..62dbda39572 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82675-0 - cce@rhel7: CCE-27394-6 cce@rhel8: CCE-80678-6 cce@rhel9: CCE-83698-1 cce@sle12: CCE-83030-7 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000046-GPOS-00022,SRG-OS-000343-GPOS-00134 stigid@ol7: OL07-00-030350 stigid@ol8: OL08-00-030020 - stigid@rhel7: RHEL-07-030350 stigid@rhel8: RHEL-08-030020 stigid@sle12: SLES-12-020040 stigid@sle15: SLES-15-030570 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml index 2a2097fbb1e..6bfda043a77 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82677-6 - cce@rhel7: CCE-27370-6 cce@rhel8: CCE-80679-4 cce@rhel9: CCE-83700-5 cce@sle12: CCE-91618-9 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml index 62c22c8a55c..3d67a066de5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82508-3 - cce@rhel7: CCE-27331-8 cce@rhel8: CCE-80680-2 cce@rhel9: CCE-83685-8 cce@sle15: CCE-85775-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml index 721f2dab957..ff15f52df7c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml @@ -21,7 +21,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82694-1 - cce@rhel7: CCE-27319-3 cce@rhel8: CCE-80681-0 cce@rhel9: CCE-83683-3 cce@sle12: CCE-91619-7 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml index 38aeec9280e..be20cdd568b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml @@ -30,7 +30,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82680-0 - cce@rhel7: CCE-27231-0 cce@rhel8: CCE-80682-8 cce@rhel9: CCE-83701-3 cce@sle12: CCE-91620-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml index 0d740af0f02..191bc7e3022 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82693-3 - cce@rhel7: CCE-27348-2 cce@rhel8: CCE-80683-6 cce@rhel9: CCE-83688-2 cce@sle12: CCE-91621-3 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index ad161d87678..afd63a4fb3a 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82681-8 - cce@rhel7: CCE-80537-4 cce@rhel8: CCE-83619-7 cce@rhel9: CCE-87414-9 cce@sle12: CCE-83026-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml index 0f768a25dc3..083e84e3ba2 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml @@ -30,7 +30,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82678-4 - cce@rhel7: CCE-27375-5 cce@rhel8: CCE-80684-4 cce@rhel9: CCE-83703-9 cce@sle12: CCE-91622-1 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000343-GPOS-00134 stigid@ol7: OL07-00-030340 stigid@ol8: OL08-00-030731 - stigid@rhel7: RHEL-07-030340 stigid@rhel8: RHEL-08-030731 stigid@ubuntu2004: UBTU-20-010217 stigid@ubuntu2204: UBTU-22-653040 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml index 9cd9a6b0f8c..c45ae68814b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86056-9 cce@rhel8: CCE-86055-1 cce@rhel9: CCE-87746-4 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000343-GPOS-00134 stigid@ol7: OL07-00-030330 stigid@ol8: OL08-00-030730 - stigid@rhel7: RHEL-07-030330 stigid@rhel8: RHEL-08-030730 stigid@ubuntu2004: UBTU-20-010217 stigid@ubuntu2204: UBTU-22-653040 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml index e21dfbacf29..ec30bb514a4 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82512-5 - cce@rhel7: CCE-82358-3 cce@rhel8: CCE-82258-5 cce@rhel9: CCE-83704-7 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml index 75590e720e2..6c95fc31285 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml @@ -15,7 +15,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82509-1 - cce@rhel7: CCE-82355-9 cce@rhel8: CCE-82233-8 cce@rhel9: CCE-83682-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml index ef1666af111..82a3f2d54a7 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml @@ -16,7 +16,6 @@ severity: low identifiers: cce@rhcos4: CCE-82511-7 - cce@rhel7: CCE-82357-5 cce@rhel8: CCE-82201-5 cce@rhel9: CCE-83696-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml index 015e9d6eff7..64042da08f7 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml @@ -4,7 +4,7 @@ # complexity = low # disruption = low -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} {{%- set auditd_conf_path=audisp_conf_path + "/audispd.conf" %}} {{%- else %}} {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh index a08fddc9016..638b566dcef 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh @@ -4,7 +4,7 @@ # complexity = low # disruption = low -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} {{%- set auditd_conf_path=audisp_conf_path + "/audispd.conf" %}} {{%- else %}} {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml index a98a46773ba..b1488c0a294 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["rhel7", "ol7"] %}} +{{% if product in ["ol7"] %}} {{% set audisp_conf_file = "/audispd.conf" %}} {{% else %}} {{% set audisp_conf_file = "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml index 45245f92352..cd41709d7a7 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82513-3 - cce@rhel7: CCE-82359-1 cce@rhel8: CCE-82897-0 cce@rhel9: CCE-83686-6 @@ -29,7 +28,6 @@ references: srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030211 stigid@ol8: OL08-00-030062 - stigid@rhel7: RHEL-07-030211 stigid@rhel8: RHEL-08-030062 ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/commented_out.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/commented_out.fail.sh index 3c71a1bd5f7..0d4fe0ff7b8 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/commented_out.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/commented_out.fail.sh @@ -4,7 +4,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh index f9395dea53c..86ec89511f5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh @@ -4,7 +4,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value_2.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value_2.pass.sh index e99e54aafa8..46ecdbc3056 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value_2.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value_2.pass.sh @@ -4,7 +4,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/empty.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/empty.fail.sh index 1d20fbc61de..3f85d744423 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/empty.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/empty.fail.sh @@ -5,7 +5,7 @@ bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/file_not_present.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/file_not_present.fail.sh index 5ba3354018b..941381db328 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/file_not_present.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/file_not_present.fail.sh @@ -2,7 +2,7 @@ # packages = audit # variables = var_auditd_name_format=hostname|fqd|numeric -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/not_present.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/not_present.fail.sh index 8fe6b21970f..f71c1f3abae 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/not_present.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/not_present.fail.sh @@ -4,7 +4,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/setup.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/setup.sh index 2e11cb479a4..c6748b06cf3 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/setup.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/setup.sh @@ -1,7 +1,7 @@ #!/bin/bash # Use this script to ensure the audit directory structure and audit conf file # exist in the test env. -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" # Ensure directory structure exists (useful for container based testing) test -d /etc/audisp/ || mkdir -p /etc/audisp/ diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/wrong_value.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/wrong_value.fail.sh index c137aa93409..67c53e0d529 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/wrong_value.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/wrong_value.fail.sh @@ -4,7 +4,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml index 12d8541cb8a..37fc1df9bfd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml @@ -4,7 +4,7 @@ # complexity = low # disruption = low -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} {{%- set auditd_conf_path=audisp_conf_path + "/audispd.conf" %}} {{%- else %}} {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh index f308bd675c1..aba1bf099be 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh @@ -4,7 +4,7 @@ # complexity = low # disruption = low -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} {{%- set auditd_conf_path=audisp_conf_path + "/audispd.conf" %}} {{%- else %}} {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml index f628201db36..7a9a7e51b05 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["rhel7", "ol7"] %}} +{{% if product in ["ol7"] %}} {{% set audisp_conf_file = "/audispd.conf" %}} {{% else %}} {{% set audisp_conf_file = "/auditd.conf" %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml index a058b881c18..c30bd2700a5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} {{%- set auditd_conf_path = audisp_conf_path + "/audispd.conf" %}} {{%- else %}} {{%- set auditd_conf_path = audisp_conf_path + "/auditd.conf" %}} @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88073-2 cce@rhel8: CCE-85889-4 cce@rhel9: CCE-87901-5 @@ -31,7 +30,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030210 stigid@ol8: OL08-00-030700 - stigid@rhel7: RHEL-07-030210 stigid@rhel8: RHEL-08-030700 ocil_clause: 'auditd overflow action is not set correctly' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh index 61178cd8875..c1bdebddf64 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh index 73d1b9bc9d9..afa5c3a0a26 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh @@ -4,7 +4,7 @@ bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh index 16299fe3f89..0944fa2f7d1 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh index 80e853cadb4..b8e0b25e2d5 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh index 969d532a1a7..30ceb2f36a6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh index b816c02e1a9..aad92660447 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh index 2e11cb479a4..c6748b06cf3 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh @@ -1,7 +1,7 @@ #!/bin/bash # Use this script to ensure the audit directory structure and audit conf file # exist in the test env. -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" # Ensure directory structure exists (useful for container based testing) test -d /etc/audisp/ || mkdir -p /etc/audisp/ diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh index 9f92adae3e6..8e7d59e42e7 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh index de6c58b2abd..6c5badaa764 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh @@ -3,7 +3,7 @@ # Ensure test system has proper directories/files for test scenario bash -x setup.sh -{{%- if product in ["rhel7", "ol7"] %}} +{{%- if product in ["ol7"] %}} config_file="/etc/audisp/audispd.conf" {{%- else %}} config_file="/etc/audit/auditd.conf" diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml index a095a5ae4fd..0034c662c2c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml @@ -15,7 +15,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82510-9 - cce@rhel7: CCE-82356-7 cce@rhel8: CCE-82366-6 cce@rhel9: CCE-83705-4 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var index fd60e0ce24b..2131e03638c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var @@ -18,6 +18,5 @@ options: syslog: syslog rotate: rotate ignore: ignore - cis_rhel7: single|halt cis_rhel8: single|halt cis_rhel9: single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var index 200609182d4..54ed112c159 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var @@ -21,6 +21,5 @@ options: ignore: ignore ol8: syslog|single|halt rhel8: syslog|single|halt - cis_rhel7: syslog|single|halt cis_rhel8: syslog|single|halt cis_rhel9: syslog|single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var index 5d6f1f423cc..c1548a3eb6d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var @@ -22,6 +22,5 @@ options: rotate: rotate ol8: syslog|single|halt rhel8: syslog|single|halt - cis_rhel7: halt|single cis_rhel8: syslog|single|halt cis_rhel9: halt|single diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var index 87a744d6e8f..f5d81f5ccf9 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var @@ -18,6 +18,5 @@ options: syslog: syslog rotate: rotate ignore: ignore - cis_rhel7: email|exec|single|halt cis_rhel8: email|exec|single|halt cis_rhel9: email|exec|single|halt diff --git a/linux_os/guide/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/auditing/grub2_audit_argument/rule.yml index c9be28d06a0..2e07fee835b 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/auditing/grub2_audit_argument/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27212-0 cce@rhel8: CCE-80825-3 cce@rhel9: CCE-83651-0 cce@sle12: CCE-91553-8 diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh index 97821b563cc..9581952235f 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Removes audit argument from kernel command line in /etc/default/grub if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"' '/etc/default/grub' ; then sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh index 69c1e3ce77b..dde32bfa2d2 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Removes audit argument from kernel command line in /boot/grub2/grub.cfg file="/boot/grub2/grub.cfg" if grep -q '^.*audit=.*' "$file" ; then diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh index ef5fd34b535..bd99871d284 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"' '/etc/default/grub' ; then diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh index 2ee6c142199..ae0541d581d 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Break the audit argument in kernel command line in /boot/grub2/grub.cfg file="/boot/grub2/grub.cfg" diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh index 7334b27bce6..ce39396e6f2 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Break the audit argument in kernel command line in /etc/default/grub if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh index ee09233d422..a68a8fcea67 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Break the audit argument in kernel command line in /etc/default/grub if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"' '/etc/default/grub' ; then diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh index 240c01cd7cc..383443aaca6 100644 --- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Break the audit argument in kernel command line in /boot/grub2/grub.cfg file="/boot/grub2/grub.cfg" diff --git a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml index f725ae136a4..81bc3c80428 100644 --- a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82156-1 cce@rhel8: CCE-80943-4 cce@rhel9: CCE-83652-8 cce@sle12: CCE-92254-2 diff --git a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh index 6c11a8e5a34..416f429a6bb 100644 --- a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh +++ b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then diff --git a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh index 8fa1742f1bc..4d4d7776767 100644 --- a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh +++ b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7,Oracle Linux 8 # Break the audit_backlog_limit argument in kernel command line in /etc/default/grub if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then diff --git a/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml index 876abce51df..148d0591dca 100644 --- a/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml +++ b/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82954-9 cce@rhel8: CCE-82953-1 cce@rhel9: CCE-83648-6 diff --git a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml index 03092536c9c..a85dd39f523 100644 --- a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml @@ -36,7 +36,7 @@ template: pkgname@ubuntu2004: audispd-plugins pkgname@ubuntu2204: audispd-plugins -{{% if product in ["rhel7", "rhel8", "rhel9"] %}} +{{% if 'rhel' in product %}} warnings: - general: This package is not available in {{{ full_name }}} [{{{ product }}}]. The correct package diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml index 2cfa1377ba7..34c7ab0bcee 100644 --- a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml @@ -1,6 +1,6 @@ {{% if product in ["sle12","sle15"] %}} {{% set package_name = "libaudit1" %}} -{{% else %}} +{{% else %}} {{% set package_name = "audit-libs" %}} {{% endif %}} @@ -16,7 +16,6 @@ rationale: 'The auditd service is an access monitoring and accounting daemon, wa severity: medium identifiers: - cce@rhel7: CCE-86531-1 cce@rhel9: CCE-86772-1 cce@sle12: CCE-92320-1 cce@sle15: CCE-92478-7 diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml index 3933bd78a36..0ca799939ef 100644 --- a/linux_os/guide/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit_installed/rule.yml @@ -10,7 +10,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82669-3 - cce@rhel7: CCE-81042-4 cce@rhel8: CCE-81043-2 cce@rhel9: CCE-83649-4 cce@sle12: CCE-83023-2 diff --git a/linux_os/guide/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/auditing/policy_rules/audit_rules_for_ospp/rule.yml index 9907d52c5d4..1f0cc667446 100644 --- a/linux_os/guide/auditing/policy_rules/audit_rules_for_ospp/rule.yml +++ b/linux_os/guide/auditing/policy_rules/audit_rules_for_ospp/rule.yml @@ -4,8 +4,8 @@ documentation_complete: true title: 'Configure audit according to OSPP requirements' {{% set docs_dir="" %}} -{{# in rhel7,ol7 docs dir are versioned #}} -{{% if product in ["rhel7", "ol7"] %}} +{{# in ol7 docs dir are versioned #}} +{{% if product in ["ol7"] %}} {{% set docs_dir="-VERSION" %}} {{% endif %}} @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82370-8 cce@rhel8: CCE-82309-6 cce@rhel9: CCE-85991-8 diff --git a/linux_os/guide/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/auditing/service_auditd_enabled/rule.yml index 5fca5c1a49f..2d0cdfc179c 100644 --- a/linux_os/guide/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/auditing/service_auditd_enabled/rule.yml @@ -25,7 +25,6 @@ requires: identifiers: cce@rhcos4: CCE-82463-1 - cce@rhel7: CCE-27407-6 cce@rhel8: CCE-80872-5 cce@rhel9: CCE-90829-3 cce@sle12: CCE-83024-0 @@ -54,7 +53,6 @@ references: srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220,SRG-APP-000095-CTR-000170,SRG-APP-000409-CTR-000990,SRG-APP-000508-CTR-001300,SRG-APP-000510-CTR-001310 stigid@ol7: OL07-00-030000 stigid@ol8: OL08-00-030181 - stigid@rhel7: RHEL-07-030000 stigid@rhel8: RHEL-08-030181 stigid@sle12: SLES-12-020010 stigid@sle15: SLES-15-030050 diff --git a/linux_os/guide/services/avahi/avahi_configuration/avahi_check_ttl/rule.yml b/linux_os/guide/services/avahi/avahi_configuration/avahi_check_ttl/rule.yml index 1190aa51e6e..fdcbaf38b61 100644 --- a/linux_os/guide/services/avahi/avahi_configuration/avahi_check_ttl/rule.yml +++ b/linux_os/guide/services/avahi/avahi_configuration/avahi_check_ttl/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80340-3 cce@rhel8: CCE-82377-3 references: diff --git a/linux_os/guide/services/avahi/avahi_configuration/avahi_disable_publishing/rule.yml b/linux_os/guide/services/avahi/avahi_configuration/avahi_disable_publishing/rule.yml index 953556fbc88..b200f950326 100644 --- a/linux_os/guide/services/avahi/avahi_configuration/avahi_disable_publishing/rule.yml +++ b/linux_os/guide/services/avahi/avahi_configuration/avahi_disable_publishing/rule.yml @@ -12,7 +12,6 @@ rationale: 'This helps ensure that no record will be published by Avahi.' severity: low identifiers: - cce@rhel7: CCE-82369-0 cce@rhel8: CCE-82372-4 references: diff --git a/linux_os/guide/services/avahi/avahi_configuration/avahi_ip_only/rule.yml b/linux_os/guide/services/avahi/avahi_configuration/avahi_ip_only/rule.yml index 52ed857e7ce..83d884b081b 100644 --- a/linux_os/guide/services/avahi/avahi_configuration/avahi_ip_only/rule.yml +++ b/linux_os/guide/services/avahi/avahi_configuration/avahi_ip_only/rule.yml @@ -15,7 +15,6 @@ rationale: "" severity: low identifiers: - cce@rhel7: CCE-80339-5 cce@rhel8: CCE-82378-1 references: diff --git a/linux_os/guide/services/avahi/avahi_configuration/avahi_prevent_port_sharing/rule.yml b/linux_os/guide/services/avahi/avahi_configuration/avahi_prevent_port_sharing/rule.yml index 14686029f7b..6ae2c78e527 100644 --- a/linux_os/guide/services/avahi/avahi_configuration/avahi_prevent_port_sharing/rule.yml +++ b/linux_os/guide/services/avahi/avahi_configuration/avahi_prevent_port_sharing/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80341-1 cce@rhel8: CCE-82376-5 references: diff --git a/linux_os/guide/services/avahi/avahi_configuration/avahi_restrict_published_information/rule.yml b/linux_os/guide/services/avahi/avahi_configuration/avahi_restrict_published_information/rule.yml index 686a4a5de06..8cdd4ba15f6 100644 --- a/linux_os/guide/services/avahi/avahi_configuration/avahi_restrict_published_information/rule.yml +++ b/linux_os/guide/services/avahi/avahi_configuration/avahi_restrict_published_information/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80343-7 cce@rhel8: CCE-82375-7 references: diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml index d0a0eb6d50f..a86917f5bd3 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86514-7 cce@rhel8: CCE-86515-4 cce@rhel9: CCE-86516-2 cce@sle12: CCE-92310-2 diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml index f06022a8ac7..7f4c5b414cf 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86511-3 cce@rhel8: CCE-86512-1 cce@rhel9: CCE-86513-9 cce@sle12: CCE-92314-4 diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index 2747e7470e9..85fb4347f79 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80338-7 cce@rhel8: CCE-82188-4 cce@rhel9: CCE-90824-4 cce@sle12: CCE-91691-6 diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml index e04cfe6ffb5..4613ec1995a 100644 --- a/linux_os/guide/services/base/package_abrt_removed/rule.yml +++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81040-8 cce@rhel8: CCE-80948-3 cce@rhel9: CCE-84228-6 diff --git a/linux_os/guide/services/base/package_psacct_installed/rule.yml b/linux_os/guide/services/base/package_psacct_installed/rule.yml index 4aedd0dc02b..ebdb655ed5e 100644 --- a/linux_os/guide/services/base/package_psacct_installed/rule.yml +++ b/linux_os/guide/services/base/package_psacct_installed/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82403-7 cce@rhel8: CCE-82404-5 references: diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml index 662bdb72eb4..83d939aaa46 100644 --- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82027-4 cce@rhel8: CCE-80870-9 cce@rhel9: CCE-84234-4 diff --git a/linux_os/guide/services/base/service_acpid_disabled/rule.yml b/linux_os/guide/services/base/service_acpid_disabled/rule.yml index 9741f58f046..a33d4aac499 100644 --- a/linux_os/guide/services/base/service_acpid_disabled/rule.yml +++ b/linux_os/guide/services/base/service_acpid_disabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80252-0 cce@rhel8: CCE-82407-8 references: diff --git a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml index a50c1f550a8..c1db01cea7c 100644 --- a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml +++ b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80253-8 cce@rhel8: CCE-82452-4 references: diff --git a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml index bb4c4f50d2b..9c926e29576 100644 --- a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml +++ b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: low -identifiers: - cce@rhel7: CCE-80254-6 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/base/service_cgred_disabled/rule.yml b/linux_os/guide/services/base/service_cgred_disabled/rule.yml index 7004557671a..d63f9f53d09 100644 --- a/linux_os/guide/services/base/service_cgred_disabled/rule.yml +++ b/linux_os/guide/services/base/service_cgred_disabled/rule.yml @@ -14,9 +14,6 @@ rationale: |- severity: low -identifiers: - cce@rhel7: CCE-80255-3 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml index 07fe85672df..9a2c176e242 100644 --- a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml +++ b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80256-1 cce@rhel8: CCE-82382-3 references: diff --git a/linux_os/guide/services/base/service_irqbalance_enabled/rule.yml b/linux_os/guide/services/base/service_irqbalance_enabled/rule.yml index 50cddf66401..2e8ff0987ab 100644 --- a/linux_os/guide/services/base/service_irqbalance_enabled/rule.yml +++ b/linux_os/guide/services/base/service_irqbalance_enabled/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: low -identifiers: - cce@rhel7: CCE-80257-9 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index a2331569a35..249d72d10b4 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80258-7 cce@rhel8: CCE-80878-2 cce@rhel9: CCE-84232-8 cce@sle12: CCE-83105-7 @@ -44,7 +43,6 @@ references: srg: SRG-OS-000269-GPOS-00103,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021300 stigid@ol8: OL08-00-010670 - stigid@rhel7: RHEL-07-021300 stigid@rhel8: RHEL-08-010670 stigid@sle12: SLES-12-010840 stigid@sle15: SLES-15-040190 diff --git a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml index 7367528240e..a1762c8f6da 100644 --- a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml +++ b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80259-5 cce@rhel8: CCE-82386-4 references: diff --git a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml index 409d94506a1..7be253c4c94 100644 --- a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml +++ b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml @@ -6,7 +6,7 @@ title: 'Disable D-Bus IPC Service (messagebus)' description: |- D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, - disabling D-Bus may not be practical for many systems. + disabling D-Bus may not be practical for many systems. {{{ describe_service_disable(service="messagebus") }}} rationale: |- @@ -16,10 +16,7 @@ rationale: |- impractical for any system which needs to provide a graphical login session. -severity: low - -identifiers: - cce@rhel7: CCE-80260-3 +severity: low references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml index 10ba1d7ab36..3a92bcc0cc5 100644 --- a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml +++ b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80261-1 cce@rhel8: CCE-82455-7 references: diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml index 3b0464b9f79..f077d13b3f7 100644 --- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80262-9 cce@rhel8: CCE-80879-0 cce@rhel9: CCE-84236-9 diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml index 51a3c264e4d..2dd383666c8 100644 --- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80263-7 cce@rhel8: CCE-80880-8 cce@rhel9: CCE-84229-4 diff --git a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml index d6ed5bf4d03..1f39fb1cadf 100644 --- a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml +++ b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80264-5 cce@rhel8: CCE-82390-6 references: diff --git a/linux_os/guide/services/base/service_psacct_enabled/rule.yml b/linux_os/guide/services/base/service_psacct_enabled/rule.yml index 3f5d17b0f2a..4587ec4f6a5 100644 --- a/linux_os/guide/services/base/service_psacct_enabled/rule.yml +++ b/linux_os/guide/services/base/service_psacct_enabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80265-2 cce@rhel8: CCE-82401-1 references: diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml index 872536c7853..72429ff6577 100644 --- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80266-0 cce@rhel8: CCE-80882-4 cce@rhel9: CCE-84231-0 diff --git a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml index 64b3ff77837..4ea186a8f1c 100644 --- a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml +++ b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80267-8 cce@rhel8: CCE-82406-0 references: diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml index bbf560b76a3..b4441dd20ae 100644 --- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80268-6 cce@rhel8: CCE-80883-2 cce@rhel9: CCE-84237-7 diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml index 06df87c3762..906cd1676aa 100644 --- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80269-4 cce@rhel8: CCE-82405-2 cce@rhel9: CCE-84235-1 diff --git a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml index bf35bd12329..1fcf1846125 100644 --- a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80270-2 cce@rhel8: CCE-82387-2 references: diff --git a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml index c2b5bc75e58..0e8db3e259f 100644 --- a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80271-0 cce@rhel8: CCE-82389-8 references: diff --git a/linux_os/guide/services/base/service_smartd_disabled/rule.yml b/linux_os/guide/services/base/service_smartd_disabled/rule.yml index 103dc430405..b4c3de54d57 100644 --- a/linux_os/guide/services/base/service_smartd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_smartd_disabled/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: low -identifiers: - cce@rhel7: CCE-80272-8 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml index 124c3be04ad..0f877334f6a 100644 --- a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml +++ b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80273-6 cce@rhel8: CCE-82388-0 references: diff --git a/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml b/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml index aa34a4c8f3d..18b12702432 100644 --- a/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml +++ b/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml @@ -5,7 +5,7 @@ title: 'Disable anacron Service' description: |- The cronie-anacron package, which provides anacron - functionality, is installed by default. + functionality, is installed by default. {{{ describe_package_remove(package="cronie-anacron") }}} rationale: |- @@ -17,9 +17,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80344-5 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 7b496326c80..b310b87f4cc 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82265-0 cce@rhel8: CCE-82268-4 cce@rhel9: CCE-84177-5 cce@sle12: CCE-92275-7 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index 29333f5d5eb..a1ff70cef8b 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82232-0 cce@rhel8: CCE-82234-6 cce@rhel9: CCE-84170-0 cce@sle12: CCE-92269-0 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index e6f13be150e..61a91b290b8 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82226-2 cce@rhel8: CCE-82227-0 cce@rhel9: CCE-84186-6 cce@sle12: CCE-92266-6 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index e3d661078b1..8a80e238181 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82255-1 cce@rhel8: CCE-82256-9 cce@rhel9: CCE-84189-0 cce@sle12: CCE-92272-4 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index 03724238c10..97d9b4f4799 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82242-9 cce@rhel8: CCE-82244-5 cce@rhel9: CCE-84174-2 cce@sle12: CCE-92270-8 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 6d07c8a6c84..30c90121a74 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82222-1 cce@rhel8: CCE-82223-9 cce@rhel9: CCE-84171-8 cce@sle12: CCE-92264-1 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index b78cd0f1e5a..be438d690dd 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82270-0 cce@rhel8: CCE-82272-6 cce@rhel9: CCE-84169-2 cce@sle12: CCE-92274-0 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index c4c4e76455d..51c73d0bd43 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82236-1 cce@rhel8: CCE-82237-9 cce@rhel9: CCE-84188-2 cce@sle12: CCE-92268-2 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index d29abfc01dc..0a99046cbef 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82208-0 cce@rhel8: CCE-82209-8 cce@rhel9: CCE-84168-4 cce@sle12: CCE-92267-4 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index f7649ff2689..87ab19bd69b 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82259-3 cce@rhel8: CCE-82260-1 cce@rhel9: CCE-84179-1 cce@sle12: CCE-92273-2 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index 1d938a1e312..a7938e9af74 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82246-0 cce@rhel8: CCE-82247-8 cce@rhel9: CCE-84190-8 cce@sle12: CCE-92271-6 diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index 0c4e1b952a6..a45007bd3d7 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82217-1 cce@rhel8: CCE-82224-7 cce@rhel9: CCE-84167-6 cce@sle12: CCE-92265-8 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index 358d24db3f8..28911415998 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82276-7 cce@rhel8: CCE-82277-5 cce@rhel9: CCE-84183-3 cce@sle12: CCE-91672-6 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index 761f1432b17..0fcf684b8c0 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82239-5 cce@rhel8: CCE-82240-3 cce@rhel9: CCE-84175-9 cce@sle12: CCE-91669-2 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index a0480835e1e..4ad244eb0b1 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82229-6 cce@rhel8: CCE-82230-4 cce@rhel9: CCE-84173-4 cce@sle12: CCE-91668-4 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index 827de1a5f8a..c99a55f0a8b 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82262-7 cce@rhel8: CCE-82263-5 cce@rhel9: CCE-84181-7 cce@sle12: CCE-91671-8 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 607955f7d34..273dd2e5117 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82250-2 cce@rhel8: CCE-82253-6 cce@rhel9: CCE-84187-4 cce@sle12: CCE-91670-0 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 4e00aa78143..63721e8bb5a 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82205-6 cce@rhel8: CCE-82206-4 cce@rhel9: CCE-84176-7 cce@sle12: CCE-91667-6 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml index 3b4fa70ba85..50918a5c6c7 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86944-6 cce@rhel8: CCE-86945-3 cce@rhel9: CCE-86946-1 cce@sle12: CCE-91683-3 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml index e6373942070..f36c255c6f6 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86183-1 cce@rhel8: CCE-86184-9 cce@rhel9: CCE-86185-6 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml index c8f347ceb30..55e54579adc 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86848-9 cce@rhel8: CCE-86849-7 cce@rhel9: CCE-86850-5 cce@sle12: CCE-91684-1 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index 9f59839ca4b..50e08257cce 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86144-3 cce@rhel8: CCE-87102-0 cce@rhel9: CCE-87103-8 cce@sle12: CCE-91685-8 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index 0733273518c..1961949e6a0 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80379-1 cce@rhel8: CCE-86829-9 cce@rhel9: CCE-86830-7 cce@sle12: CCE-91686-6 @@ -41,7 +40,6 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021120 - stigid@rhel7: RHEL-07-021120 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.allow", group=target_group) }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index c9cdded1ab1..6100bee9c77 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86344-9 cce@rhel8: CCE-86345-6 cce@rhel9: CCE-86346-4 cce@sle12: CCE-91687-4 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index a09ec49d046..5ad2ad089a1 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80378-3 cce@rhel8: CCE-86843-0 cce@rhel9: CCE-86844-8 cce@sle12: CCE-91688-2 @@ -35,7 +34,6 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021110 - stigid@rhel7: RHEL-07-021110 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.allow", owner="root") }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index a53cc7e2514..6c2561ca944 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86244-1 cce@rhel8: CCE-86903-2 cce@rhel9: CCE-86904-0 cce@sle12: CCE-91689-0 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index e0dc09ca19b..b2819fd9082 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86875-2 cce@rhel8: CCE-86876-0 cce@rhel9: CCE-86877-8 cce@sle12: CCE-91690-8 diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml index dcaf4492819..2d7b897dc21 100644 --- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80345-2 cce@rhel8: CCE-80871-7 cce@rhel9: CCE-84164-3 diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml index 101c7f6bf5b..74a61c70dfc 100644 --- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27323-5 cce@rhel8: CCE-80875-8 cce@rhel9: CCE-84163-5 diff --git a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml index 662b94bc81a..7bd409872ce 100644 --- a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml +++ b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-82461-5 cce@rhel8: CCE-83302-0 references: diff --git a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_configure_logging/rule.yml b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_configure_logging/rule.yml index 1e0fe7bbb35..929cd6ab733 100644 --- a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_configure_logging/rule.yml +++ b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_configure_logging/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80336-1 - references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_bootp/rule.yml b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_bootp/rule.yml index 9b7d693c13d..acc42d87d7e 100644 --- a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_bootp/rule.yml +++ b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_bootp/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80334-6 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_decline/rule.yml b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_decline/rule.yml index 064d46a91d1..7b2fb47e24a 100644 --- a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_decline/rule.yml +++ b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_deny_decline/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80333-8 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_disable_ddns/rule.yml b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_disable_ddns/rule.yml index 88cdc928d35..96f271da9dd 100644 --- a/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_disable_ddns/rule.yml +++ b/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_disable_ddns/rule.yml @@ -20,9 +20,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80332-0 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/rule.yml index 3260b61b026..8adc67997b5 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/rule.yml @@ -27,9 +27,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80337-9 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml index 41a92670a0d..11bb54381bb 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80331-2 cce@rhel8: CCE-83385-5 cce@rhel9: CCE-84240-1 cce@sle12: CCE-91453-1 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index 8e15fb62bcc..1b46c1ec279 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80330-4 cce@rhel8: CCE-82864-0 cce@rhel9: CCE-84241-9 cce@sle12: CCE-92243-5 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/tests/service_enabled.fail.sh b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/tests/service_enabled.fail.sh index aef3f551e83..e5a05189145 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/tests/service_enabled.fail.sh +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/tests/service_enabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if product in ['rhel7', 'sle15'] %}} +{{% if product in ['sle15'] %}} {{% set pkp_name="dhcp" %}} {{% else %}} {{% set pkp_name="dhcp-server" %}} diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml index c3090bdcedc..9ad8326abfc 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80326-2 cce@rhel8: CCE-82408-6 cce@rhel9: CCE-86505-5 cce@sle12: CCE-91642-9 diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index d72aae63315..a0d262d5e77 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80325-4 cce@rhel8: CCE-82409-4 cce@rhel9: CCE-84194-0 cce@sle12: CCE-92245-0 diff --git a/linux_os/guide/services/dns/dns_server_protection/dns_server_authenticate_zone_transfers/rule.yml b/linux_os/guide/services/dns/dns_server_protection/dns_server_authenticate_zone_transfers/rule.yml index c85b373d680..8dfe34a7844 100644 --- a/linux_os/guide/services/dns/dns_server_protection/dns_server_authenticate_zone_transfers/rule.yml +++ b/linux_os/guide/services/dns/dns_server_protection/dns_server_authenticate_zone_transfers/rule.yml @@ -53,7 +53,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80328-8 cce@rhel8: CCE-82410-2 references: diff --git a/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_dynamic_updates/rule.yml b/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_dynamic_updates/rule.yml index 1d9c7d0f38c..81c93b06c50 100644 --- a/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_dynamic_updates/rule.yml +++ b/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_dynamic_updates/rule.yml @@ -22,6 +22,3 @@ rationale: |- only the precise type of change needed. severity: unknown - -identifiers: - cce@rhel7: CCE-80329-6 diff --git a/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_zone_transfers/rule.yml b/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_zone_transfers/rule.yml index d380c60adaf..289a012e8e2 100644 --- a/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_zone_transfers/rule.yml +++ b/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_zone_transfers/rule.yml @@ -22,6 +22,3 @@ rationale: |- disabled to avoid the potential for abuse. severity: unknown - -identifiers: - cce@rhel7: CCE-80327-0 diff --git a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml index 2f86211d8de..6705ee9d83f 100644 --- a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml +++ b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-90761-8 cce@rhel8: CCE-90746-9 cce@rhel9: CCE-86063-5 diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml index c887535b545..8bbbfb708d3 100644 --- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml +++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml @@ -22,7 +22,4 @@ severity: high platform: machine # The check uses service_... extended definition, which doesnt support offline mode -identifiers: - cce@rhel7: CCE-80442-7 - platform: machine diff --git a/linux_os/guide/services/docker/docker_storage_configured/rule.yml b/linux_os/guide/services/docker/docker_storage_configured/rule.yml index 5244c716919..c153237c345 100644 --- a/linux_os/guide/services/docker/docker_storage_configured/rule.yml +++ b/linux_os/guide/services/docker/docker_storage_configured/rule.yml @@ -19,7 +19,4 @@ severity: low platform: machine # The check uses service_... extended definition, which doesnt support offline mode -identifiers: - cce@rhel7: CCE-80441-9 - platform: machine diff --git a/linux_os/guide/services/docker/service_docker_enabled/rule.yml b/linux_os/guide/services/docker/service_docker_enabled/rule.yml index 91c009ebddf..652e48bbdd3 100644 --- a/linux_os/guide/services/docker/service_docker_enabled/rule.yml +++ b/linux_os/guide/services/docker/service_docker_enabled/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80440-1 - ocil: |- {{{ ocil_service_enabled(service="docker") }}} diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 615a5cbc906..e5d6aebf47b 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80245-4 cce@rhel8: CCE-82414-4 cce@rhel9: CCE-84159-3 cce@sle12: CCE-83226-1 @@ -34,7 +33,6 @@ references: srg: SRG-OS-000074-GPOS-00042,SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040690 stigid@ol8: OL08-00-040360 - stigid@rhel7: RHEL-07-040690 stigid@rhel8: RHEL-08-040360 stigid@sle12: SLES-12-030011 stigid@sle15: SLES-15-010030 diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml index 0ca6769588f..2cf51be3131 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80244-7 cce@rhel8: CCE-82413-6 cce@rhel9: CCE-84160-1 cce@sle12: CCE-92246-8 diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml index 5bbba879d62..f3e11b9dc06 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml @@ -3,12 +3,6 @@ documentation_complete: true title: 'Configure Firewalls to Protect the FTP Server' description: |- - {{% if product == "rhel7" %}} - By default, firewalld - blocks access to the ports used by the web server. - - {{{ describe_firewalld_allow_service(service="ftp") }}} - {{% else %}} By default, iptables blocks access to the ports used by the web server. @@ -16,17 +10,8 @@ description: |- Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
- {{% endif %}} rationale: |- These settings configure the firewall to allow connections to an FTP server. - {{% if product != "rhel7" %}} - The first line allows initial connections to the FTP server port. - FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client - and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by - iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an - FTP server to operate on a system which is running a firewall. - {{% endif %}} - severity: unknown diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads/rule.yml index 8a7bda4f7d6..4b78e881b72 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80250-4 diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition/rule.yml index 6967f679ff7..37a0f75e241 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition/rule.yml @@ -13,5 +13,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80251-2 diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/rule.yml index 44a4ad5762a..2be934bd9cc 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80247-0 - ocil_clause: 'xferlog_enable is missing, or is not set to yes' ocil: |- diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml index 5c8b8a8a336..255f8f76046 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml @@ -17,7 +17,6 @@ rationale: 'This setting will cause the system greeting banner to be used for FT severity: medium identifiers: - cce@rhel7: CCE-80248-8 cce@sle12: CCE-83059-6 references: diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/ftp_restrict_to_anon/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/ftp_restrict_to_anon/rule.yml index 0f41619fd69..2fa4c4f4c7d 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/ftp_restrict_to_anon/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/ftp_restrict_to_anon/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80249-6 cce@rhel8: CCE-82412-8 references: diff --git a/linux_os/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed/rule.yml b/linux_os/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed/rule.yml index 0cbfb25cd28..c9d9bdf5c3a 100644 --- a/linux_os/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed/rule.yml +++ b/linux_os/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80246-2 cce@rhel8: CCE-82411-0 references: diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml index f23a5c8396a..a1d7eafdca6 100644 --- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-90757-6 cce@rhel8: CCE-90745-1 cce@rhel9: CCE-86075-9 diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index b5a13210d97..6b0397a6a80 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80301-5 cce@rhel8: CCE-85970-2 cce@rhel9: CCE-85974-4 cce@sle12: CCE-91643-7 diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml index 1edb2f712da..8e27721af14 100644 --- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80300-7 cce@rhel8: CCE-82761-8 cce@rhel9: CCE-84213-8 cce@sle12: CCE-92247-6 diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml index e45dfca966b..5238e8aa8e8 100644 --- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-90758-4 cce@rhel8: CCE-88034-4 cce@rhel9: CCE-88035-1 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml index 2d78161900a..19e5073fb34 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80548-1 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml index c787ba84d42..14c15a0aeb9 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80551-5 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml index 235a2a6bf0f..8c7f38af8bf 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml @@ -20,9 +20,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80561-4 - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml index 4da7b09ef66..8c4ba74680c 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml @@ -4,17 +4,10 @@ documentation_complete: true title: 'Configure firewall to Allow Access to the Web Server' description: |- - {{% if product == "rhel7" %}} - By default, firewalld - blocks access to the ports used by the web server. - {{{ describe_firewalld_allow_service(service="http") }}} - {{{ describe_firewalld_allow_service(service="https") }}} - {{% else %}} By default, iptables blocks access to the ports used by the web server. {{{ describe_iptables_allow(proto="tcp", port=80) }}} {{{ describe_iptables_allow(proto="tcp", port=443) }}} - {{% endif %}} rationale: |- Failure to comply with DoD ports, protocols, and services (PPS) requirements diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/rule.yml index b2eca5da7ab..fa88474349c 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/rule.yml @@ -11,8 +11,5 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80323-9 - ocil: |- {{{ ocil_file_permissions(file="/etc/http/conf", perms="-rwxr-x---") }}} diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/rule.yml index 8e0f0322f4a..71bc5f8a4ec 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/rule.yml @@ -20,9 +20,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80322-1 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml index 29e79670506..7061846698f 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml @@ -11,9 +11,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80381-7 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/rule.yml index 86a9aa14601..b5e5c2caa19 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/rule.yml @@ -11,9 +11,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80324-7 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/rule.yml index db23c6d4c5c..44034daf315 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/rule.yml @@ -11,9 +11,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80382-5 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml index 5a475fef79c..c35e0b829dc 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml @@ -18,9 +18,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80562-2 - ocil: |- {{{ describe_file_owner(file="/var/log/httpd", owner="root") }}} {{{ describe_file_owner(file="/var/log/httpd/*", owner="root") }}} diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml index aa2fec173b1..a10a1c936c4 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml @@ -27,10 +27,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80560-6 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml index 1b102c63b44..5a61b53926f 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml @@ -18,10 +18,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80555-6 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml index 4bc4ce7b52f..879a59d5e50 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: high -identifiers: - cce@rhel7: CCE-80556-4 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml index 4a4fd4c403b..5b09c7f8ab1 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80553-1 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml index e20ace7dfa9..f75d0ec2282 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80554-9 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_limit_available_methods/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_limit_available_methods/rule.yml index 7dee169f441..a6701b0d47a 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_limit_available_methods/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_limit_available_methods/rule.yml @@ -25,5 +25,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80319-7 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_critical_directories/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_critical_directories/rule.yml index dc9ccb8dd66..5fb4aebc4f9 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_critical_directories/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_critical_directories/rule.yml @@ -15,5 +15,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80318-9 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_root_directory/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_root_directory/rule.yml index 27c4faf0c8f..f9df2b861d4 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_root_directory/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_root_directory/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80316-3 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_web_directory/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_web_directory/rule.yml index b59434dc78e..9aefcd9556f 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_web_directory/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_restrict_web_directory/rule.yml @@ -24,5 +24,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80317-1 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml index cce226b5a75..711e8faabe6 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml @@ -18,10 +18,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-81130-7 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml index a8708803715..d2123e14c6d 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml @@ -21,10 +21,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80550-7 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml index 0b5527469c4..2c33d381bd9 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80549-9 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cache_support/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cache_support/rule.yml index 68d696736e8..fd767670250 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cache_support/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cache_support/rule.yml @@ -19,5 +19,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80314-8 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cgi_support/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cgi_support/rule.yml index da3d0e3e3e0..a32080e9bb5 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cgi_support/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_cgi_support/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80315-5 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_digest_authentication/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_digest_authentication/rule.yml index 5458cb81b84..6bf4c1ac62b 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_digest_authentication/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_digest_authentication/rule.yml @@ -14,5 +14,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80304-9 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml index 8929e49c1b3..54bfcb5d5cb 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80552-3 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_ldap_support/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_ldap_support/rule.yml index 84583779680..210e7d9caef 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_ldap_support/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_ldap_support/rule.yml @@ -16,5 +16,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80306-4 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mime_magic/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mime_magic/rule.yml index b49a7bc85d6..432c1f6e7ea 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mime_magic/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mime_magic/rule.yml @@ -14,5 +14,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80308-0 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mod_rewrite/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mod_rewrite/rule.yml index 59fafac76ee..7f34106913d 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mod_rewrite/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_mod_rewrite/rule.yml @@ -16,5 +16,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80305-6 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_proxy_support/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_proxy_support/rule.yml index f40d7e450f3..cc82dbc9100 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_proxy_support/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_proxy_support/rule.yml @@ -20,5 +20,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80313-0 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_activity_status/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_activity_status/rule.yml index b6ab0dac6f1..646ccae73f9 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_activity_status/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_activity_status/rule.yml @@ -18,5 +18,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80310-6 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_configuration_display/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_configuration_display/rule.yml index eac4893fa3e..85422716c3e 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_configuration_display/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_configuration_display/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80311-4 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_side_includes/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_side_includes/rule.yml index aeba965f609..de7380cae93 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_side_includes/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_server_side_includes/rule.yml @@ -19,5 +19,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80307-2 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_url_correction/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_url_correction/rule.yml index b4b7ad90022..f080a3c4383 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_url_correction/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_url_correction/rule.yml @@ -15,5 +15,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80312-2 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_webdav/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_webdav/rule.yml index 5054adf42af..018e7a53725 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_webdav/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_webdav/rule.yml @@ -19,5 +19,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80309-8 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_security/httpd_install_mod_security/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_security/httpd_install_mod_security/rule.yml index ccf3c6a653b..fa7874b5885 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_security/httpd_install_mod_security/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_security/httpd_install_mod_security/rule.yml @@ -14,5 +14,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80321-3 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml index d96af355760..db0048ef886 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml @@ -21,10 +21,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80557-2 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml index 727f0100ac5..a1645db598a 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80559-8 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_install_mod_ssl/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_install_mod_ssl/rule.yml index 510e9afe7ce..b3723b8e986 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_install_mod_ssl/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_install_mod_ssl/rule.yml @@ -14,5 +14,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80320-5 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml index bdb6554a7ba..46bb22f82c2 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml @@ -17,10 +17,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80558-0 - - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_serversignature_off/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_serversignature_off/rule.yml index d3ced3a1ac6..52e2de5880a 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_serversignature_off/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_serversignature_off/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80303-1 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_servertokens_prod/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_servertokens_prod/rule.yml index 1d550fe5f83..65c0762073c 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_servertokens_prod/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_restrict_info_leakage/httpd_servertokens_prod/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80302-3 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml index b3a99424e61..4a69f9b5950 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml @@ -3,15 +3,7 @@ documentation_complete: true title: 'Allow IMAP Clients to Access the Server' description: |- - {{% if product == "rhel7" %}} - The default firewalld configuration does not allow inbound - access to any services. This modification will allow remote hosts to - initiate connections to the IMAP daemon, while keeping all other ports - on the server in their default protected state. - {{{ describe_firewalld_allow_port(port="143", proto="tcp") }}} - {{% else %}} The default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. {{{ describe_iptables_allow(proto="tcp", port=143) }}} - {{% endif %}} diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_cert/rule.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_cert/rule.yml index fb173790d09..1c08ac15c41 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_cert/rule.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_cert/rule.yml @@ -22,5 +22,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80297-5 diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_key/rule.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_key/rule.yml index 429d28ddfb2..65aba389d69 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_key/rule.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_configure_ssl_key/rule.yml @@ -21,5 +21,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80298-3 diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/rule.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/rule.yml index 32b1553d041..81ef92af2fb 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/rule.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/rule.yml @@ -15,5 +15,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80299-1 diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/rule.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/rule.yml index 49f4e2dd465..6b7c4f5ffc3 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/rule.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/rule.yml @@ -18,5 +18,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80296-7 diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml index 483036c146f..973ced1b398 100644 --- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-90760-0 cce@rhel8: CCE-88119-3 cce@rhel9: CCE-88120-1 diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index c2ad79d8036..f0e628a6e1a 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80295-9 cce@rhel8: CCE-85976-9 cce@rhel9: CCE-85977-7 cce@sle12: CCE-92249-2 diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml index b6b4ff14c1b..da5eff62125 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80294-2 cce@rhel8: CCE-82760-0 cce@rhel9: CCE-84242-7 cce@sle12: CCE-92248-4 diff --git a/linux_os/guide/services/ldap/389_ds/package_389-ds-base_removed/rule.yml b/linux_os/guide/services/ldap/389_ds/package_389-ds-base_removed/rule.yml index b8c48400581..ebeeb4f8194 100644 --- a/linux_os/guide/services/ldap/389_ds/package_389-ds-base_removed/rule.yml +++ b/linux_os/guide/services/ldap/389_ds/package_389-ds-base_removed/rule.yml @@ -18,7 +18,6 @@ severity: low identifiers: cce@rhcos4: CCE-82725-3 - cce@rhel7: CCE-82727-9 cce@rhel8: CCE-82728-7 references: diff --git a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml index 91db330b1b1..444b0e027e8 100644 --- a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80448-4 cce@rhel8: CCE-82418-5 references: diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml index 1f3bfba1f4e..1ed4fca9205 100644 --- a/linux_os/guide/services/ldap/openldap_client/group.yml +++ b/linux_os/guide/services/ldap/openldap_client/group.yml @@ -12,9 +12,7 @@ description: |- authconfig tools do not allow you to specify locations of SSL certificate files, which is useful when trying to use SSL cleanly across several protocols. Installation and configuration of OpenLDAP on {{{ full_name }}} is available at - {{% if product == "rhel7" %}} - {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. - {{% elif product == "ol7" %}} + {{% if product == "ol7" %}} {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/userauth-AuthenticationConfiguration.html#ol7-s7-auth") }}}. {{% endif %}} diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml index 229b3c08d9a..288b40a937f 100644 --- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80291-8 cce@rhel8: CCE-82416-9 references: diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/rule.yml index 9f6b9b49394..7da4d4a2ce5 100644 --- a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80292-6 cce@rhel8: CCE-82417-7 references: diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml index 7a24501dcbf..8e2b140d2bc 100644 --- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -24,7 +24,6 @@ rationale: severity: low identifiers: - cce@rhel7: CCE-82884-8 cce@rhel8: CCE-82885-5 cce@rhel9: CCE-90831-9 cce@sle12: CCE-91681-7 diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml index d571867a7f8..510d5c6e40b 100644 --- a/linux_os/guide/services/ldap/openldap_server/group.yml +++ b/linux_os/guide/services/ldap/openldap_server/group.yml @@ -5,7 +5,3 @@ title: 'Configure OpenLDAP Server' description: |- This section details some security-relevant settings for an OpenLDAP server. - {{% if product == "rhel7" %}} - Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: - {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. - {{% endif %}} diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml index 8c581b44d17..0d8f310e4f9 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80293-4 cce@rhel8: CCE-82415-1 cce@sle12: CCE-91640-3 cce@sle15: CCE-91283-2 diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml index 8be22ed3329..eab269c9197 100644 --- a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml +++ b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88497-3 cce@rhel8: CCE-88498-1 cce@rhel9: CCE-88499-9 diff --git a/linux_os/guide/services/mail/package_mailx_installed/rule.yml b/linux_os/guide/services/mail/package_mailx_installed/rule.yml index ebbfcfc125b..ac597234114 100644 --- a/linux_os/guide/services/mail/package_mailx_installed/rule.yml +++ b/linux_os/guide/services/mail/package_mailx_installed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86611-1 cce@rhel8: CCE-87036-0 cce@sle12: CCE-92331-8 cce@sle15: CCE-92519-8 @@ -25,7 +24,6 @@ references: srg: SRG-OS-000363-GPOS-00150 stigid@ol7: OL07-00-020028 stigid@ol8: OL08-00-010358 - stigid@rhel7: RHEL-07-020028 stigid@rhel8: RHEL-08-010358 stigid@sle12: SLES-12-010498 stigid@sle15: SLES-15-010418 diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml index 4daf930b402..b5ff3a5d4d4 100644 --- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80288-4 cce@rhel8: CCE-81039-0 cce@rhel9: CCE-90830-1 cce@sle12: CCE-91463-0 diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 587786ee71e..dd5387f891f 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82380-7 cce@rhel8: CCE-82381-5 cce@rhel9: CCE-90826-9 cce@sle12: CCE-83031-5 diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 690c57319fc..45c546b60c5 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80289-2 cce@rhel8: CCE-82174-4 cce@rhel9: CCE-90825-1 cce@sle12: CCE-91595-9 diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/rule.yml index b1b5611373e..5bff211d2c1 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/rule.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80290-0 cce@rhel8: CCE-82379-9 references: diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml index 8cf59a2ed64..1d83e2c227a 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80512-7 cce@rhel8: CCE-84054-6 cce@rhel9: CCE-87232-5 @@ -25,7 +24,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040680 stigid@ol8: OL08-00-040290 - stigid@rhel7: RHEL-07-040680 stigid@rhel8: RHEL-08-040290 ocil_clause: 'the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"' diff --git a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml index c8942680f88..3433ea6ac3d 100644 --- a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml +++ b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80287-6 - ocil_clause: 'the system is not a cross domain solution and the service is not enabled' ocil: |- diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml index abc080acd82..5d6df13aa45 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-86644-2 cce@rhel8: CCE-86645-9 cce@rhel9: CCE-86646-7 cce@sle12: CCE-92312-8 diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_nfslock_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_nfslock_disabled/rule.yml index ee21b4e0750..53a46e2380d 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_nfslock_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_nfslock_disabled/rule.yml @@ -14,9 +14,6 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80228-0 - template: name: service_disabled vars: diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 9829263e230..6c5e1302a10 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80230-6 cce@rhel8: CCE-82858-2 cce@rhel9: CCE-84245-0 cce@sle12: CCE-91682-5 diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcgssd_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcgssd_disabled/rule.yml index 58571401daa..01ffb14cdf0 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcgssd_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcgssd_disabled/rule.yml @@ -14,9 +14,6 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80229-8 - template: name: service_disabled vars: diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcidmapd_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcidmapd_disabled/rule.yml index d2355e7e179..98bc27a6ec1 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcidmapd_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcidmapd_disabled/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80231-4 - template: name: service_disabled vars: diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/group.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/group.yml index c5ed69795b4..abfc22bffd3 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/group.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/group.yml @@ -8,11 +8,7 @@ description: |- should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port - {{% if product == "rhel7" %}} - filtering firewalls such as firewalld. - {{% else %}} filtering firewalls such as iptables. - {{% endif %}}

Therefore, restrict each service to always use a given port, so that firewalling can be done effectively. Note that, because of the way RPC is diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_tcp_port/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_tcp_port/rule.yml index ea10a064809..8b47d44a15c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_tcp_port/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_tcp_port/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80232-2 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_udp_port/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_udp_port/rule.yml index af03a1e073d..e2f0703d9e1 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_udp_port/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_lockd_udp_port/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80233-0 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_mountd_port/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_mountd_port/rule.yml index 0dfbadb768c..d1e4d778a81 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_mountd_port/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_mountd_port/rule.yml @@ -16,5 +16,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80235-5 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_statd_port/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_statd_port/rule.yml index a05a1660e1e..441ffadc13c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_statd_port/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_ports/nfs_fixed_statd_port/rule.yml @@ -16,5 +16,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80234-8 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/nfs_no_anonymous/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/nfs_no_anonymous/rule.yml index d3afafe8bbe..8af00e1dc8f 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/nfs_no_anonymous/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/nfs_no_anonymous/rule.yml @@ -20,9 +20,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80236-3 - ocil_clause: 'anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)' ocil: |- diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml index 32845e7bea4..137a2163194 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -14,7 +14,6 @@ rationale: 'Unnecessary services should be disabled to decrease the attack surfa severity: unknown identifiers: - cce@rhel7: CCE-80237-1 cce@rhel8: CCE-82762-6 cce@rhel9: CCE-90850-9 cce@sle12: CCE-92244-3 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml index dcf9df313c8..ed3addb1b69 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml @@ -14,9 +14,6 @@ rationale: 'Unnecessary services should be disabled to decrease the attack surfa severity: unknown -identifiers: - cce@rhel7: CCE-80238-9 - ocil_clause: |- {{{ ocil_clause_service_disabled(service="rpcsvcgssd") }}} diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml index 38426e6a31e..e35d69a45be 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27458-9 cce@rhel9: CCE-87416-4 references: @@ -28,7 +27,6 @@ references: nist-csf: PR.AC-4,PR.AC-7 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040750 - stigid@rhel7: RHEL-07-040750 ocil_clause: 'the setting is not configured, has the ''sys'' option added, or does not have all Kerberos options added' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml index 46eee5e2871..549b4dabb81 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80239-7 cce@rhel8: CCE-84052-0 cce@rhel9: CCE-90838-4 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index 9dade3e520a..4cf8ff005e5 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80436-9 cce@rhel8: CCE-84050-4 cce@rhel9: CCE-84246-8 cce@sle12: CCE-83103-2 @@ -32,7 +31,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021021 stigid@ol8: OL08-00-010630 - stigid@rhel7: RHEL-07-021021 stigid@rhel8: RHEL-08-010630 stigid@sle12: SLES-12-010820 stigid@sle15: SLES-15-040170 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index fa1aa0f385a..64eea94be86 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80240-5 cce@rhel8: CCE-84053-8 cce@rhel9: CCE-84247-6 cce@sle12: CCE-83102-4 @@ -30,7 +29,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021020 stigid@ol8: OL08-00-010650 - stigid@rhel7: RHEL-07-021020 stigid@rhel8: RHEL-08-010650 stigid@sle12: SLES-12-010810 stigid@sle15: SLES-15-040160 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/rule.yml index 1abc8cab892..5f0a17b3df9 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/rule.yml @@ -21,9 +21,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80243-9 - references: disa: CCI-000764 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/restrict_nfs_clients_to_privileged_ports/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/restrict_nfs_clients_to_privileged_ports/rule.yml index e27c9d64e8a..bdbd3bdf189 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/restrict_nfs_clients_to_privileged_ports/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/restrict_nfs_clients_to_privileged_ports/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80242-1 - references: cis-csc: 11,12,14,15,16,18,3,5 cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml index e2e08848ccb..129eb76ee66 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27464-7 cce@rhel8: CCE-80924-4 cce@rhel9: CCE-89947-6 cce@sle15: CCE-91416-8 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_root_squashing_all_exports/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_root_squashing_all_exports/rule.yml index 446f1da9027..6a59c918ceb 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_root_squashing_all_exports/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_root_squashing_all_exports/rule.yml @@ -17,5 +17,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80241-3 diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml index b81fb5425c2..0c4bd44de51 100644 --- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82933-3 cce@rhel8: CCE-82932-5 cce@rhel9: CCE-84243-5 cce@sle12: CCE-91641-1 diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 467e730bb32..114a207fbd5 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -73,7 +73,6 @@ platforms: identifiers: cce@rhcos4: CCE-82684-2 - cce@rhel7: CCE-80439-3 cce@rhel8: CCE-84059-5 cce@rhel9: CCE-88648-1 cce@sle12: CCE-83124-8 @@ -92,7 +91,6 @@ references: srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146 stigid@ol7: OL07-00-040500 stigid@ol8: OL08-00-030740 - stigid@rhel7: RHEL-07-040500 stigid@rhel8: RHEL-08-030740 stigid@sle12: SLES-12-030300 stigid@sle15: SLES-15-010400 diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_nothing_done.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_nothing_done.fail.sh index 14bcb756d00..15c19212f90 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_nothing_done.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_nothing_done.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = chrony # variables = var_time_service_set_maxpoll=16 -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 {{{ bash_package_remove("ntp") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp.pass.sh index 292814fd64e..885a03bc45c 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = ntp # variables = var_time_service_set_maxpoll=16 -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 {{{ bash_package_remove("chrony") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_multiple_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_multiple_misconfigured.fail.sh index 48085bcc547..332b80b77c8 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_multiple_misconfigured.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_multiple_misconfigured.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = ntp # variables = var_time_service_set_maxpoll=16 -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 {{{ bash_package_remove("chrony") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_wrong_maxpoll.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_wrong_maxpoll.fail.sh index e716cf4d4ad..329f2cf585d 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_wrong_maxpoll.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_wrong_maxpoll.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = ntp # variables = var_time_service_set_maxpoll=16 -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 {{{ bash_package_remove("chrony") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh index 6b76902a1c3..f82c5018ec4 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle {{{ bash_instantiate_variables("var_multiple_time_servers") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml index f6743f788e1..8c27d9c2d5d 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml @@ -90,7 +90,6 @@ platform: machine # The check uses service_... extended definition, which doesn identifiers: cce@rhcos4: CCE-82685-9 - cce@rhel7: CCE-27012-4 cce@rhel8: CCE-80764-4 cce@sle12: CCE-91630-4 cce@sle15: CCE-85834-0 diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh index 6bf4f9aaee2..c8619f66e1e 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol {{{ bash_instantiate_variables("var_multiple_time_servers") }}} diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml index de6ec99ea5b..05c378703eb 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml @@ -89,7 +89,6 @@ platform: machine and (package[chrony] or package[ntp]) # The check uses servic identifiers: cce@rhcos4: CCE-82683-4 - cce@rhel7: CCE-27278-1 cce@rhel8: CCE-80765-1 references: diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml index 595aa3c9521..b7eaee763ec 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml @@ -1,11 +1,11 @@ -# platform = multi_platform_fedora,multi_platform_ol,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel # reboot = false # strategy = configure # complexity = low # disruption = low {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["ol7", "ol8", "ol9", "fedora"] or 'rhel' in product %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh index 462528038d3..390a1cd2d07 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["ol7", "ol8", "ol9", "fedora"] or 'rhel' in product %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml index e1d712f2553..a3d42de1aae 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml @@ -1,5 +1,5 @@ {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["ol7", "ol8", "ol9", "fedora"] or 'rhel' in product %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml index b493739895c..b0b44b2c513 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Ensure that chronyd is running under chrony user account' {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["ol7", "ol8", "ol9", "fedora"] or 'rhel' in product %}} {{%- set ok_by_default = true %}} {{%- endif %}} @@ -38,7 +38,6 @@ severity: medium platform: package[chrony] identifiers: - cce@rhel7: CCE-82878-0 cce@rhel8: CCE-82879-8 cce@rhel9: CCE-84108-0 cce@sle12: CCE-92240-1 diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index dfd7c6fefa9..dc18d45c421 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -21,7 +21,6 @@ severity: medium platform: package[chrony] identifiers: - cce@rhel7: CCE-83418-4 cce@rhel8: CCE-82873-1 cce@rhel9: CCE-84218-7 cce@sle12: CCE-91631-2 diff --git a/linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml index da77a9c5e49..b0a270c555b 100644 --- a/linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml +++ b/linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86371-2 cce@rhel8: CCE-86373-8 cce@rhel9: CCE-86374-6 diff --git a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml index 0aa7d872953..f35777c6ea6 100644 --- a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml +++ b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86375-3 cce@rhel8: CCE-86379-5 cce@rhel9: CCE-86380-3 diff --git a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml index 70119c9801e..889f9e6b419 100644 --- a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml +++ b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86381-1 cce@rhel8: CCE-86383-7 cce@rhel9: CCE-86384-5 diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml index 5424a119d9e..615c24e1f45 100644 --- a/linux_os/guide/services/ntp/group.yml +++ b/linux_os/guide/services/ntp/group.yml @@ -55,8 +55,6 @@ description: |- {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/network-ConfiguringNetworkTime.html#ol-nettime") }}} {{% elif product == "ol9" %}} {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/network/network-ConfiguringNetworkTime.html#ol-nettime") }}} - {{% elif product == "rhel7" %}} - {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} {{% elif product == "rhel8" %}} {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/configuring-time-synchronization_configuring-basic-system-settings") }}} {{% elif product == "rhel9" %}} diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/ansible/shared.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/ansible/shared.yml index 882a65e49aa..12c62d33976 100644 --- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/ansible/shared.yml +++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_sle # reboot = false # complexity = low # strategy = configure diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/bash/shared.sh b/linux_os/guide/services/ntp/ntpd_configure_restrictions/bash/shared.sh index 39e1660b9e6..5c9fcadd809 100644 --- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/bash/shared.sh +++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ubuntu,multi_platform_sle {{{ set_config_file(path='/etc/ntp.conf', parameter='restrict -4', value='default kod nomodify notrap nopeer noquery', create='yes', insert_after='EOF', insert_before='', insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} {{{ set_config_file(path='/etc/ntp.conf', parameter='restrict -6', value='default kod nomodify notrap nopeer noquery', create='yes', insert_after='EOF', insert_before='', insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml index 52726fca49f..27d25d77ed3 100644 --- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml @@ -28,7 +28,6 @@ references: cis@ubuntu2204: 2.1.4.1 identifiers: - cce@rhel7: CCE-84299-7 cce@sle12: CCE-92325-0 ocil_clause: 'restrictions are not configured for ntpd' diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/ansible/shared.yml b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/ansible/shared.yml index cc6ad00cbd4..152de7ab916 100644 --- a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/ansible/shared.yml +++ b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 7 +# platform = multi_platform_fedora # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/bash/shared.sh b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/bash/shared.sh index 2ad7b6d96dd..3884d5cf555 100644 --- a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/bash/shared.sh +++ b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ubuntu if grep -q 'OPTIONS=.*' /etc/sysconfig/ntpd; then # trying to solve cases where the parameter after OPTIONS diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml index b3ac0236b67..35de7660d98 100644 --- a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml @@ -28,9 +28,6 @@ references: cis@ubuntu2004: 2.2.1.4 cis@ubuntu2204: 2.1.4.3 -identifiers: - cce@rhel7: CCE-84295-5 - ocil_clause: 'ntpd is not running under ntp user account' ocil: |- diff --git a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml index 6f1399b3e77..7502c681493 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-86487-6 cce@rhel8: CCE-86488-4 cce@sle12: CCE-91660-1 cce@sle15: CCE-91297-2 diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/ansible/shared.yml index 94df730467d..ed1e792da0f 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/ansible/shared.yml +++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 7 +# platform = multi_platform_fedora # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/ntpd_specify_remote_server/bash/shared.sh index fb0bfc179f7..e57d9df5d58 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 7 +# platform = multi_platform_fedora {{{ bash_instantiate_variables("var_multiple_time_servers") }}} diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml index 7a95b5772fb..e71d81313ad 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83436-6 cce@rhel8: CCE-86508-9 cce@sle12: CCE-91661-9 cce@sle15: CCE-91298-0 diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/correct.pass.sh deleted file mode 100644 index c9033b777d1..00000000000 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/correct.pass.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# packages = ntp -# platform = Red Hat Enterprise Linux 7 - -echo "server 0.pool.ntp.org" > /etc/ntp.conf diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_empty.fail.sh deleted file mode 100644 index f96e2416919..00000000000 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_empty.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# packages = ntp -# platform = Red Hat Enterprise Linux 7 - -echo "" > /etc/ntp.conf diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_missing.fail.sh deleted file mode 100644 index c7c0cbdeb0a..00000000000 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/file_missing.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# packages = ntp -# platform = Red Hat Enterprise Linux 7 - -rm -f /etc/ntp.conf diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/multiple_servers.pass.sh deleted file mode 100644 index 8ceefc168ed..00000000000 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/tests/multiple_servers.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = ntp -# platform = Red Hat Enterprise Linux 7 - -echo "server 0.pool.ntp.org" > /etc/ntp.conf -echo "server 1.pool.ntp.org" >> /etc/ntp.conf diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index 694b47eb1b4..b8eea732d92 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -18,7 +18,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-83419-2 cce@rhel8: CCE-82874-9 cce@rhel9: CCE-84215-3 cce@sle12: CCE-91594-2 diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index ca56f2318e3..b01c338a198 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -21,7 +21,6 @@ severity: medium platform: package[chrony] identifiers: - cce@rhel7: CCE-83420-0 cce@rhel8: CCE-82875-6 cce@rhel9: CCE-84217-9 diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/ansible/shared.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/ansible/shared.yml index 739ab24b850..ff1bfe242e4 100644 --- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = enable # complexity = low diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/bash/shared.sh b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/bash/shared.sh index f8a77aeeefa..b322a02cff3 100644 --- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/bash/shared.sh +++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = enable # complexity = low diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml index 8833d723508..c2c8f453513 100644 --- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml @@ -40,7 +40,6 @@ platform: machine # The check uses service_... extended definition, which doesn identifiers: cce@rhcos4: CCE-82682-6 - cce@rhel7: CCE-27444-9 cce@rhel8: CCE-80874-1 cce@sle12: CCE-91629-6 cce@sle15: CCE-85835-7 diff --git a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml index bb3ac288b36..b3a12270be2 100644 --- a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml @@ -47,14 +47,9 @@ template: vars: servicename: ntp -{{% if product in ["rhel7", "rhel8", "rhel9", "sle15"] %}} +{{% if product in ["sle15"] or 'rhel' in product %}} warnings: - general: - {{% if product == "rhel7" %}} - The
ntp.service
Systemd unit is not available in {{{ - full_name }}}.
ntpd.service
should be used instead together with the respective
service_ntpd_enabled
rule.. - {{% else %}} The
ntp
package is not available in {{{ full_name }}}. Please consider the
chrony
package instead together with the respective
service_chronyd_enabled
rule. - {{% endif %}} {{% endif %}} diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml index 3cfd6d06708..722c975d605 100644 --- a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-84253-4 cce@rhel8: CCE-86486-8 cce@rhel9: CCE-87863-7 cce@sle12: CCE-91658-5 diff --git a/linux_os/guide/services/obsolete/group.yml b/linux_os/guide/services/obsolete/group.yml index 4c976261025..803b6bc9154 100644 --- a/linux_os/guide/services/obsolete/group.yml +++ b/linux_os/guide/services/obsolete/group.yml @@ -15,7 +15,7 @@ description: |- If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host - {{% if product == "rhel7" %}} + {{% if "rhel" in product %}} firewall software such as firewalld to restrict access to the {{% else %}} firewall software such as iptables to restrict access to the diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml index a678060db89..f20c66d76ed 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml @@ -19,10 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-83391-3 - - ocil_clause: 'access to services supporting TCP wrappers is not properly configured' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml index 5f0583ccb57..ef0434faf43 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-83824-3 - - ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.allow", group="root") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml index 0edc9130aa1..279fcddd83b 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-84031-4 - - ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml index 1ea8c393d64..f401862f1d2 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-83826-8 - - ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.allow", owner="root") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml index f49621454b3..85000424e1f 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-84033-0 - - ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.deny", owner="root") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml index 69f30e56a5c..fdee0ee131b 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-83828-4 - - ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml index 8e1ab16ffd6..e5b72bc9d1f 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml @@ -13,10 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-84035-5 - - ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}}' ocil: |- diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml index 81b835c7548..1e01ccaa167 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml @@ -15,9 +15,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-27361-5 - references: cis-csc: 11,3,9 cis@sle15: 3.4.1 diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index ba96f00d559..20e0ae2ef94 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27354-0 cce@rhel8: CCE-80850-1 cce@rhel9: CCE-84155-1 cce@sle12: CCE-91480-4 diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml index 50441794131..afbc6865d3b 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27443-1 cce@rhel8: CCE-80888-1 cce@rhel9: CCE-84156-9 cce@sle12: CCE-92239-3 diff --git a/linux_os/guide/services/obsolete/nis/no_nis_in_nsswitch/rule.yml b/linux_os/guide/services/obsolete/nis/no_nis_in_nsswitch/rule.yml index 129be890ffa..84c3cd4b5ed 100644 --- a/linux_os/guide/services/obsolete/nis/no_nis_in_nsswitch/rule.yml +++ b/linux_os/guide/services/obsolete/nis/no_nis_in_nsswitch/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86074-2 cce@rhel8: CCE-86076-7 ocil_clause: "a nis database is configured in nsswitch.conf" diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 9203aa90bcb..82484702b92 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-27396-1 cce@rhel8: CCE-82181-9 cce@rhel9: CCE-84151-0 cce@sle12: CCE-91458-0 diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index 0414eabc785..532a205e7d8 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27399-5 cce@rhel8: CCE-82432-6 cce@rhel9: CCE-84152-8 cce@sle12: CCE-91459-8 @@ -38,7 +37,6 @@ references: pcidss: Req-2.2.2 srg: SRG-OS-000095-GPOS-00049 stigid@ol7: OL07-00-020010 - stigid@rhel7: RHEL-07-020010 {{{ complete_ocil_entry_package(package="ypserv") }}} diff --git a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml index 26b5a890877..d70f04c2b36 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27385-4 cce@rhel8: CCE-82433-4 references: diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml index 2364211ce93..1ef9f80cdf1 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90759-2 cce@rhel8: CCE-86121-1 cce@rhel9: CCE-86122-9 diff --git a/linux_os/guide/services/obsolete/no_hesiod_in_nsswitch/rule.yml b/linux_os/guide/services/obsolete/no_hesiod_in_nsswitch/rule.yml index eb213f646a3..bbefe2eca7c 100644 --- a/linux_os/guide/services/obsolete/no_hesiod_in_nsswitch/rule.yml +++ b/linux_os/guide/services/obsolete/no_hesiod_in_nsswitch/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86078-3 - ocil_clause: "a hesiod service is configured in nsswitch.conf" ocil: |- diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml index d159f3fd4e0..8bac1dcb2c6 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86334-0 cce@rhel8: CCE-86335-7 cce@rhel9: CCE-86336-5 cce@sle12: CCE-92313-6 diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index a0e4996aa53..95bf49650c0 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80513-5 cce@rhel8: CCE-84055-3 cce@rhel9: CCE-90208-0 cce@sle12: CCE-83022-4 @@ -28,7 +27,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040550 stigid@ol8: OL08-00-010460 - stigid@rhel7: RHEL-07-040550 stigid@rhel8: RHEL-08-010460 stigid@sle12: SLES-12-010410 stigid@sle15: SLES-15-040030 diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml index 60b881dc199..b5023f40320 100644 --- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27406-8 cce@rhel8: CCE-80842-8 cce@rhel9: CCE-84145-2 cce@sle12: CCE-92226-0 diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index 6240cdc305d..5d5cdae7bbc 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80514-3 cce@rhel8: CCE-84056-1 cce@rhel9: CCE-86532-9 cce@sle12: CCE-83021-6 @@ -31,7 +30,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040540 stigid@ol8: OL08-00-010470 - stigid@rhel7: RHEL-07-040540 stigid@rhel8: RHEL-08-010470 stigid@sle12: SLES-12-010400 stigid@sle15: SLES-15-040020 diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index ada9d165323..05993a7cf1a 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27342-5 cce@rhel8: CCE-82184-3 cce@rhel9: CCE-84143-7 cce@sle12: CCE-91462-2 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000095-GPOS-00049 stigid@ol7: OL07-00-020000 stigid@ol8: OL08-00-040010 - stigid@rhel7: RHEL-07-020000 stigid@rhel8: RHEL-08-040010 stigid@ubuntu2004: UBTU-20-010406 stigid@ubuntu2204: UBTU-22-215030 diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index bf34d21069f..2c8298b7e1e 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-27274-0 cce@rhel8: CCE-82183-5 cce@rhel9: CCE-84142-9 cce@sle12: CCE-91454-9 diff --git a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml index c348e11dc4b..e8df0378b32 100644 --- a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27408-4 cce@rhel8: CCE-80884-0 cce@rhel9: CCE-88104-5 cce@sle15: CCE-91420-0 diff --git a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml index 1c0b658545d..7d11cb9b552 100644 --- a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27336-7 cce@rhel8: CCE-80885-7 cce@rhel9: CCE-88395-9 cce@sle15: CCE-91419-2 diff --git a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml index 73e6de48659..1e62c62b9c8 100644 --- a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27337-5 cce@rhel8: CCE-82431-8 references: diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index cf2c7464eda..5feb944148d 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -15,7 +15,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-83334-3 cce@rhel8: CCE-83335-0 cce@rhel9: CCE-84140-3 cce@sle12: CCE-91673-4 @@ -36,7 +35,6 @@ template: vars: servicename: rsyncd packagename: rsync-daemon - packagename@rhel7: rsync packagename@ol7: rsync packagename@sle12: rsync packagename@sle15: rsync diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index e5ebfb14030..92063487c39 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27210-4 cce@rhel8: CCE-82180-1 cce@rhel9: CCE-84158-5 cce@sle12: CCE-91464-8 diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 9990302beb7..5efc889abdd 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27432-4 cce@rhel8: CCE-80848-5 cce@rhel9: CCE-84157-7 cce@sle12: CCE-91456-4 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index 8e2e184509a..34f33b291c8 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27165-0 cce@rhel8: CCE-82182-7 cce@rhel9: CCE-84149-4 cce@sle12: CCE-83084-4 @@ -46,7 +45,6 @@ references: srg: SRG-OS-000095-GPOS-00049 stigid@ol7: OL07-00-021710 stigid@ol8: OL08-00-040000 - stigid@rhel7: RHEL-07-021710 stigid@rhel8: RHEL-08-040000 stigid@sle12: SLES-12-030000 stigid@sle15: SLES-15-010180 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml index a16fee71835..a4ef2410d14 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27305-2 cce@rhel8: CCE-80849-3 cce@rhel9: CCE-84146-0 cce@sle12: CCE-91457-2 diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml index 3c9d4189156..94f721aee98 100644 --- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27401-9 cce@rhel8: CCE-80887-3 cce@rhel9: CCE-84150-2 cce@sle15: CCE-91435-8 diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index 6b97936e7e6..7b367d47fd3 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80213-2 cce@rhel8: CCE-82436-7 cce@rhel9: CCE-84154-4 cce@sle12: CCE-91596-7 @@ -35,7 +34,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040700 stigid@ol8: OL08-00-040190 - stigid@rhel7: RHEL-07-040700 stigid@rhel8: RHEL-08-040190 {{{ complete_ocil_entry_package(package="tftp-server") }}} diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index 5d66007d88d..5db63341dc5 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80443-5 cce@rhel8: CCE-83590-0 cce@rhel9: CCE-84153-6 cce@sle12: CCE-91465-5 diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml index 671e343905b..1443c8617c6 100644 --- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80212-4 cce@rhel8: CCE-82435-9 references: diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml index 6e5cedf703b..2e8a1acb21d 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure tftp Daemon Uses Secure Mode' description: |- If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, - {{%- if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}} + {{%- if product in ["ol7","rhel8","ol8","rhv4"] %}} ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example:
server_args = -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
@@ -29,7 +29,6 @@ severity: medium platform: package[tftp-server] identifiers: - cce@rhel7: CCE-80214-0 cce@rhel8: CCE-82434-2 cce@rhel9: CCE-90736-0 @@ -45,11 +44,10 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040720 stigid@ol8: OL08-00-040350 - stigid@rhel7: RHEL-07-040720 stigid@rhel8: RHEL-08-040350 ocil_clause: |- -{{%- if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}} +{{%- if product in ["ol7","rhel8","ol8","rhv4"] %}} '"server_args" line does not have a "-s" option, and a subdirectory is not assigned' {{%- else %}} 'the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned' @@ -59,7 +57,7 @@ ocil: |- Verify the TFTP daemon is configured to operate in secure mode. Check if a TFTP server is installed with the following command: - {{% if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}} + {{% if product in ["ol7","rhel8","ol8","rhv4"] %}}
$ rpm -qa | grep tftp
{{% else %}}
$ sudo dnf list --installed tftp-server
@@ -69,7 +67,7 @@ ocil: |-
 
     If a TFTP server is not installed, this is Not Applicable.
     

- {{% if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}} + {{% if product in ["ol7","rhel8","ol8","rhv4"] %}} If a TFTP server is installed, verify TFTP is configured by with the -s option by running the following command: @@ -83,7 +81,7 @@ ocil: |- {{% endif %}} fixtext: |- - {{%- if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}} + {{%- if product in ["ol7","rhel8","ol8","rhv4"] %}} Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): server_args = -s {{{ xccdf_value("var_tftpd_secure_directory") }}} diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/rule.yml b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/rule.yml index 396fa9f2b49..c78426afdee 100644 --- a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/rule.yml +++ b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/rule.yml @@ -20,9 +20,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80283-5 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/rule.yml b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/rule.yml index ac5515dcc76..6e5c3b0b715 100644 --- a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/rule.yml +++ b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/rule.yml @@ -24,9 +24,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80284-3 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml index bf602ed3c75..b3bd6e7767e 100644 --- a/linux_os/guide/services/printing/package_cups_removed/rule.yml +++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-86295-3 cce@rhel8: CCE-86299-5 cce@rhel9: CCE-86300-1 cce@sle12: CCE-92311-0 diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml index 057680ae27f..a0c61646886 100644 --- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml +++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml @@ -11,7 +11,6 @@ rationale: 'Turn off unneeded services to reduce attack surface.' severity: unknown identifiers: - cce@rhel7: CCE-80282-7 cce@rhel8: CCE-82861-6 cce@rhel9: CCE-90795-6 cce@sle12: CCE-91692-4 diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml index 315c4a92992..223265bb700 100644 --- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80286-8 cce@rhel8: CCE-82189-2 cce@rhel9: CCE-84238-5 cce@sle12: CCE-92252-6 diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml index 45fb5c43c39..44d818c8129 100644 --- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80285-0 cce@rhel8: CCE-82190-0 cce@rhel9: CCE-84239-3 cce@sle12: CCE-92251-8 diff --git a/linux_os/guide/services/radius/package_freeradius_removed/rule.yml b/linux_os/guide/services/radius/package_freeradius_removed/rule.yml index 51eb2e12475..9e412ae8ac0 100644 --- a/linux_os/guide/services/radius/package_freeradius_removed/rule.yml +++ b/linux_os/guide/services/radius/package_freeradius_removed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82751-9 cce@rhel8: CCE-82752-7 ocil_clause: 'the package is installed' diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml index 4f27df32398..f6dd24ae439 100644 --- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml +++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27594-1 cce@rhel8: CCE-82187-6 cce@rhel9: CCE-84191-6 diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml index 0bcc7b0c9a9..5ef5313a58f 100644 --- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27191-6 cce@rhel8: CCE-80889-9 cce@sle15: CCE-91418-4 diff --git a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/rule.yml b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/rule.yml index da36f449e15..f4d83b8a2be 100644 --- a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/rule.yml +++ b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80281-9 - ocil_clause: 'it does not' ocil: |- diff --git a/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml b/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml index fc8fddc7d0a..7a62905135a 100644 --- a/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml +++ b/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml @@ -11,9 +11,6 @@ rationale: 'If the samba-common package is not installed, samba cannot be config severity: medium -identifiers: - cce@rhel7: CCE-80360-1 - ocil_clause: 'the package is not installed' ocil: '{{{ ocil_package(package="samba-common") }}}' diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/rule.yml b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/rule.yml index a9cd42d3bf5..c6aba2c98b0 100644 --- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/rule.yml +++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80280-1 - ocil_clause: 'it is not' ocil: |- diff --git a/linux_os/guide/services/smb/configuring_samba/smb_server_disable_root/rule.yml b/linux_os/guide/services/smb/configuring_samba/smb_server_disable_root/rule.yml index a0696476bac..2d5e3e6b278 100644 --- a/linux_os/guide/services/smb/configuring_samba/smb_server_disable_root/rule.yml +++ b/linux_os/guide/services/smb/configuring_samba/smb_server_disable_root/rule.yml @@ -20,5 +20,3 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80279-3 diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml index 35dd9eae947..69d4844a062 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80278-5 cce@rhel8: CCE-85978-5 cce@rhel9: CCE-85979-3 cce@sle12: CCE-91644-5 diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index a1166dad88d..079cad29fe5 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80277-7 cce@rhel8: CCE-82759-2 cce@rhel9: CCE-84201-3 cce@sle12: CCE-92250-0 diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index 0d71bcc5efe..19537fa1e4c 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80275-1 cce@rhel8: CCE-85980-1 cce@rhel9: CCE-85981-9 cce@sle12: CCE-91645-2 diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index c41b857dcf8..4819bc9eb55 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80274-4 cce@rhel8: CCE-82758-4 cce@rhel9: CCE-90832-7 cce@sle12: CCE-92253-4 diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/bash/shared.sh index 084c8934350..a869e7ad64b 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/bash/shared.sh +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora if grep -s "rwuser" /etc/snmp/snmpd.conf | grep -qv "^#"; then sed -i "/^\s*#/b;/rwuser/ s/^/#/" /etc/snmp/snmpd.conf diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml index 950f8535b6c..a7b8a41fa81 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82732-9 cce@rhel8: CCE-82733-7 ocil_clause: 'there are users who can write to SNMP values' diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml index 3b8653a60b2..ca07eef0e8c 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh index ce70b2c1989..c54b259d0da 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel {{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}} diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml index fdceb6c50ba..a2efa305c3c 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: high -identifiers: - cce@rhel7: CCE-27386-2 - references: cis-csc: 1,12,15,16,5 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 @@ -33,7 +30,6 @@ references: nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040800 - stigid@rhel7: RHEL-07-040800 ocil_clause: 'the default SNMP passwords public and private have not been changed or removed' diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml index 115dc82fe14..059f5705dde 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80276-9 cce@rhel8: CCE-84292-2 cce@rhel9: CCE-87293-7 diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index 08641d27527..086e4d3f652 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82902-8 cce@rhel8: CCE-82901-0 cce@rhel9: CCE-90817-8 cce@sle12: CCE-92276-5 diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml index f80c01cd042..7f74ea77199 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86125-2 cce@rhel8: CCE-86126-0 cce@rhel9: CCE-86127-8 diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml index 66f7e71ddf2..aca558d1a38 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86132-8 cce@rhel8: CCE-86133-6 cce@rhel9: CCE-86136-9 diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index 7920293cacd..c0c56b501ca 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82899-6 cce@rhel8: CCE-82898-8 cce@rhel9: CCE-90821-0 cce@sle12: CCE-92277-3 diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml index 6cbcc46f604..2a9cfe7d0cf 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86117-9 cce@rhel8: CCE-86118-7 cce@rhel9: CCE-86119-5 diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml index b2d8cd24732..3ebbb7ab293 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86128-6 cce@rhel8: CCE-86129-4 cce@rhel9: CCE-86130-2 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index 9bff1ca8798..ef94fb74e67 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82895-4 cce@rhel8: CCE-82894-7 cce@rhel9: CCE-90818-6 cce@sle12: CCE-91674-2 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index e4f1b1363e3..60f118f02c3 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27485-2 cce@rhel8: CCE-82424-3 cce@rhel9: CCE-90820-2 cce@sle12: CCE-83058-8 @@ -52,7 +51,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040420 stigid@ol8: OL08-00-010490 - stigid@rhel7: RHEL-07-040420 stigid@rhel8: RHEL-08-010490 stigid@sle12: SLES-12-030220 stigid@sle15: SLES-15-040250 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index 695fd89eed4..18962cd0e95 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27311-0 cce@rhel8: CCE-82428-4 cce@rhel9: CCE-90819-4 cce@sle12: CCE-83057-0 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040410 stigid@ol8: OL08-00-010480 - stigid@rhel7: RHEL-07-040410 stigid@rhel8: RHEL-08-010480 stigid@sle12: SLES-12-030210 stigid@sle15: SLES-15-040240 diff --git a/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml index 747b5ab8a6a..46326210627 100644 --- a/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml +++ b/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml @@ -16,8 +16,5 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80218-1 - references: cui: 3.1.12 diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index 2fbdd219a10..0bda7699125 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80215-7 cce@rhel8: CCE-83303-8 cce@rhel9: CCE-90823-6 @@ -30,7 +29,6 @@ references: srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190 stigid@ol7: OL07-00-040300 stigid@ol8: OL08-00-040159 - stigid@rhel7: RHEL-07-040300 stigid@rhel8: RHEL-08-040159 stigid@ubuntu2004: UBTU-20-010042 stigid@ubuntu2204: UBTU-22-255010 diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml index c58e3e993f3..b7e48957f81 100644 --- a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml @@ -32,7 +32,6 @@ severity: high identifiers: cce@rhcos4: CCE-86189-8 - cce@rhel7: CCE-80217-3 ocil_clause: |- {{{ ocil_clause_service_disabled(service="sshd") }}} diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml index 69828ae7479..858d7e0bc8a 100644 --- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80216-5 cce@rhel8: CCE-82426-8 cce@rhel9: CCE-90822-8 cce@sle12: CCE-83201-4 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190 stigid@ol7: OL07-00-040310 stigid@ol8: OL08-00-040160 - stigid@rhel7: RHEL-07-040310 stigid@rhel8: RHEL-08-040160 stigid@sle12: SLES-12-030100 stigid@sle15: SLES-15-010530 diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index 5463354fea0..c6139a83b3a 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27413-4 cce@rhel8: CCE-80786-7 cce@rhel9: CCE-90816-0 cce@sle12: CCE-91677-5 @@ -50,7 +49,6 @@ references: ospp: FIA_UAU.1 srg: SRG-OS-000480-GPOS-00229 stigid@ol7: OL07-00-010470 - stigid@rhel7: RHEL-07-010470 {{{ complete_ocil_entry_sshd_option(default="yes", option="HostbasedAuthentication", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index ba7033a1fab..56df117a208 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80361-9 cce@rhel8: CCE-80820-4 cce@rhel9: CCE-89175-4 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml index 4eead1295ef..58d76399668 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27320-1 cce@rhel8: CCE-80894-9 cce@rhel9: CCE-90812-9 cce@sle15: CCE-91440-8 @@ -40,7 +39,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7,PR.PT-4 srg: SRG-OS-000074-GPOS-00042,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040390 - stigid@rhel7: RHEL-07-040390 ocil_clause: 'it is commented out or is not set correctly to Protocol 2' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6-configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6-configured.pass.sh deleted file mode 100644 index e6a35178400..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6-configured.pass.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Test targeted to RHEL 7.4 -yum downgrade -y openssh-6.6.1p1 openssh-clients-6.6.1p1 openssh-server-6.6.1p1 - -echo "Protocol 2" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6.fail.sh deleted file mode 100644 index aceae6c3866..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-6.6.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Test targeted to RHEL 7.4 -yum downgrade -y openssh-6.6.1p1 openssh-clients-6.6.1p1 openssh-server-6.6.1p1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-7.4.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-7.4.pass.sh index 7de739e6706..13ebdd983f4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-7.4.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/tests/openssh-7.4.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # packages = openssh-7.4p1,openssh-clients-7.4p1,openssh-server-7.4p1 # diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index 184502a043c..21e5071732c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80224-9 cce@rhel8: CCE-80895-6 cce@rhel9: CCE-90801-2 cce@sle12: CCE-83062-0 @@ -38,7 +37,6 @@ references: nist-csf: PR.IP-1 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040470 - stigid@rhel7: RHEL-07-040470 stigid@sle12: SLES-12-030250 ocil_clause: 'it is commented out, or is not set to no or delayed' @@ -49,9 +47,7 @@ ocil: |-
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be
no
or
delayed
. -{{% if product == "rhel7" %}} -platform: os_linux[rhel]<7.4 -{{% elif product == "ol7" %}} +{{% if product == "ol7" %}} platform: os_linux[ol]<7.4 {{% elif product == "sle12" %}} platform: package[openssh]<7.4 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index 64d518cd876..f17ea24e575 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27471-2 cce@rhel8: CCE-80896-4 cce@rhel9: CCE-90799-8 cce@sle12: CCE-83014-1 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000106-GPOS-00053,SRG-OS-000480-GPOS-00229,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010300 stigid@ol8: OL08-00-020330 - stigid@rhel7: RHEL-07-010300 stigid@rhel8: RHEL-08-020330 stigid@sle12: SLES-12-030150 stigid@sle15: SLES-15-040440 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index 84e5d497fa2..5e97f85b337 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80220-7 cce@rhel8: CCE-80897-2 cce@rhel9: CCE-90808-7 cce@sle15: CCE-91441-6 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040430 stigid@ol8: OL08-00-010522 - stigid@rhel7: RHEL-07-040430 stigid@rhel8: RHEL-08-010522 {{{ complete_ocil_entry_sshd_option(default="yes", option="GSSAPIAuthentication", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml index 05de4709b64..e5554b32eed 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80221-5 cce@rhel8: CCE-80898-0 cce@rhel9: CCE-90802-0 cce@sle15: CCE-91442-4 @@ -43,7 +42,6 @@ references: srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040440 stigid@ol8: OL08-00-010521 - stigid@rhel7: RHEL-07-040440 stigid@rhel8: RHEL-08-010521 {{{ complete_ocil_entry_sshd_option(default="yes", option="KerberosAuthentication", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml index cdaf18fe9dc..bc5c4872c8d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82344-3 cce@rhel8: CCE-82345-0 {{{ complete_ocil_entry_sshd_option(default="no", option="PubkeyAuthentication", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index 6bd14d991b1..e0cb663c05e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -22,7 +22,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82665-1 - cce@rhel7: CCE-27377-1 cce@rhel8: CCE-80899-8 cce@rhel9: CCE-90797-2 cce@sle12: CCE-91676-7 @@ -46,7 +45,6 @@ references: ospp: FIA_UAU.1 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040350 - stigid@rhel7: RHEL-07-040350 {{{ complete_ocil_entry_sshd_option(default="yes", option="IgnoreRhosts", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml index e24aa9a9b7e..fb00e21c78e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80373-4 cce@rhel8: CCE-80900-4 cce@rhel9: CCE-87836-3 @@ -36,7 +35,6 @@ references: ospp: FIA_UAU.1 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040330 - stigid@rhel7: RHEL-07-040330 ocil: | To check which SSH protocol version is allowed, check version of diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index c4b786ae9be..e2b1d9b6027 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-89550-8 - cce@rhel7: CCE-27445-6 cce@rhel8: CCE-80901-2 cce@rhel9: CCE-90800-4 cce@sle12: CCE-83035-6 @@ -48,7 +47,6 @@ references: srg: SRG-OS-000109-GPOS-00056,SRG-OS-000480-GPOS-00227,SRG-APP-000148-CTR-000335,SRG-APP-000190-CTR-000500 stigid@ol7: OL07-00-040370 stigid@ol8: OL08-00-010550 - stigid@rhel7: RHEL-07-040370 stigid@rhel8: RHEL-08-010550 stigid@sle12: SLES-12-030140 stigid@sle15: SLES-15-020040 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml index efb75a79139..89979e2bce4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85854-8 cce@rhel8: CCE-83301-2 cce@rhel9: CCE-90806-1 cce@sle12: CCE-92204-7 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index 0bb62b7c93c..4719b7cbe62 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80372-6 cce@rhel8: CCE-80902-0 cce@rhel9: CCE-90796-4 cce@sle12: CCE-83056-2 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040380 stigid@ol8: OL08-00-010520 - stigid@rhel7: RHEL-07-040380 stigid@rhel8: RHEL-08-010520 stigid@sle12: SLES-12-030200 stigid@sle15: SLES-15-040230 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 24eafaade2d..3fcf912d777 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83359-0 cce@rhel8: CCE-83360-8 cce@rhel9: CCE-90798-0 cce@sle12: CCE-91675-9 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040710 stigid@ol8: OL08-00-040340 - stigid@rhel7: RHEL-07-040710 stigid@rhel8: RHEL-08-040340 stigid@sle15: SLES-15-040290 stigid@ubuntu2004: UBTU-20-010048 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index b007cf14e06..022a0a4eaf6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27363-1 cce@rhel8: CCE-80903-8 cce@rhel9: CCE-90803-8 cce@sle12: CCE-83015-8 @@ -46,7 +45,6 @@ references: srg: SRG-OS-000480-GPOS-00229 stigid@ol7: OL07-00-010460 stigid@ol8: OL08-00-010830 - stigid@rhel7: RHEL-07-010460 stigid@rhel8: RHEL-08-010830 stigid@sle12: SLES-12-030151 stigid@sle15: SLES-15-040440 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml index a0aefb6fa30..48bb96888a6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86720-0 cce@rhel8: CCE-86721-8 cce@rhel9: CCE-86722-6 cce@sle12: CCE-92203-9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index 32289015478..6e359148e0c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80222-3 cce@rhel8: CCE-80904-6 cce@rhel9: CCE-90809-5 cce@sle12: CCE-83060-4 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040450 stigid@ol8: OL08-00-010500 - stigid@rhel7: RHEL-07-040450 stigid@rhel8: RHEL-08-010500 stigid@sle12: SLES-12-030230 stigid@sle15: SLES-15-040260 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 2ac928bb65c..48a9167ad99 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27314-4 cce@rhel8: CCE-80905-3 cce@rhel9: CCE-90807-9 cce@sle12: CCE-83066-1 @@ -44,7 +43,6 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088 stigid@ol7: OL07-00-040170 stigid@ol8: OL08-00-010040 - stigid@rhel7: RHEL-07-040170 stigid@rhel8: RHEL-08-010040 stigid@sle12: SLES-12-030050 stigid@sle15: SLES-15-010040 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml index f62c3bbf77e..1cae35ddfa0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87977-5 cce@rhel8: CCE-87978-3 cce@rhel9: CCE-87979-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 2f388a324b4..80f48cf7740 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80226-4 cce@rhel8: CCE-82421-9 cce@rhel9: CCE-89696-9 cce@sle12: CCE-83017-4 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/rule.yml index 02bee6dbe5b..c6463008ebc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/rule.yml @@ -44,7 +44,6 @@ ocil: |- identifiers: cce@rhcos4: CCE-82664-4 - cce@rhel7: CCE-80219-9 cce@rhel8: CCE-82422-7 cce@rhel9: CCE-86817-4 cce@sle12: CCE-92212-0 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index 68550406122..66d78271f20 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80225-6 cce@rhel8: CCE-82281-7 cce@rhel9: CCE-90804-6 cce@sle12: CCE-83083-6 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040360 stigid@ol8: OL08-00-020350 - stigid@rhel7: RHEL-07-040360 stigid@rhel8: RHEL-08-020350 stigid@sle12: SLES-12-030130 stigid@sle15: SLES-15-020120 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel7.ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel7.ok.pass.sh deleted file mode 100644 index b2aae7753f5..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel7.ok.pass.sh +++ /dev/null @@ -1,4 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 - -sed -i '/^\s*RekeyLimit\b/Id' /etc/ssh/sshd_config -echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index dd23dc26bc5..44f53e1b05b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -26,7 +26,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82549-7 - cce@rhel7: CCE-27433-2 cce@rhel8: CCE-80906-1 cce@rhel9: CCE-90811-1 cce@sle12: CCE-83027-3 @@ -52,7 +51,6 @@ references: srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175 stigid@ol7: OL07-00-040320 stigid@ol8: OL08-00-010201 - stigid@rhel7: RHEL-07-040320 stigid@rhel8: RHEL-08-010201 stigid@sle12: SLES-12-030190 stigid@sle15: SLES-15-010280 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_comment.fail.sh index 0dc273a1bda..ff058c37d83 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_comment.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_comment.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 SSHD_CONFIG="/etc/ssh/sshd_config" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_line_not_there.fail.sh index 88a1cd92f3f..e5ba68c3d06 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_line_not_there.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_line_not_there.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # remediation = none # The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that. diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_wrong_value.fail.sh index 7e0b58b4de0..c11fc94468b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # remediation = none # The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that. diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 9a3fbb8cd77..8e7f30c6245 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82464-9 - cce@rhel7: CCE-27082-7 cce@rhel8: CCE-80907-9 cce@rhel9: CCE-90805-3 cce@sle12: CCE-83034-9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index bbcc2bfb787..18fb03fbac9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-83406-9 - cce@rhel7: CCE-83399-6 cce@rhel8: CCE-83405-1 cce@rhel9: CCE-90271-8 cce@sle12: CCE-83407-7 @@ -47,7 +46,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol7: OL07-00-040340 - stigid@rhel7: RHEL-07-040340 stigid@sle12: SLES-12-030191 stigid@sle15: SLES-15-010320 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml index 11cf26a5375..35a057b2192 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86550-1 cce@rhel8: CCE-86551-9 cce@rhel9: CCE-86552-7 cce@sle12: CCE-92281-5 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index e3fe489a221..c87342fe773 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80645-5 cce@rhel8: CCE-82282-5 cce@rhel9: CCE-90813-7 cce@sle12: CCE-92278-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 7b6f37fabbb..fb77ee1267d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82419-3 cce@rhel8: CCE-82420-1 cce@rhel9: CCE-86923-0 cce@sle12: CCE-83077-8 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml index 595a6684e30..53aef225b1e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82354-2 cce@rhel8: CCE-83500-9 cce@rhel9: CCE-90810-3 cce@sle12: CCE-92202-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml index d48f00f942d..847683e6766 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85856-3 cce@rhel8: CCE-83357-4 cce@rhel9: CCE-84103-1 cce@sle12: CCE-91679-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/rhel7_correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/rhel7_correct_value.pass.sh deleted file mode 100644 index 01447849fac..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/rhel7_correct_value.pass.sh +++ /dev/null @@ -1,3 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 - -{{{ bash_sshd_config_set(parameter="MaxSessions", value="10") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml index 0fe0bffb3bb..19a15aeff69 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90714-7 cce@rhel8: CCE-90718-8 cce@rhel9: CCE-87872-8 cce@sle12: CCE-91678-3 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index 3ca461e2451..9d6d61f5603 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -10,7 +10,7 @@ description: |- demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. -{{% if product in ["rhel7","ol7"] %}} +{{% if product in ["ol7"] %}}

Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
- aes128-ctr @@ -46,7 +46,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27295-5 cce@rhel8: CCE-81032-5 cce@rhel9: CCE-86767-1 cce@sle12: CCE-83181-8 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_correct_value_full.pass.sh index 56e7679c2e1..4a0a9ac7d40 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_correct_value_full.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_correct_value_full.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis if grep -q "^Ciphers" /etc/ssh/sshd_config; then diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_wrong_value.fail.sh index 52d85da96ae..5b236f40b54 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/cis_rhel7_wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis if grep -q "^Ciphers" /etc/ssh/sshd_config; then diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml index 5b9f9e1a453..ca5a566b250 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh index 8940777f9c8..db2fa2fa80f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu {{%- if 'ubuntu' in product %}} {{{ bash_instantiate_variables('sshd_approved_ciphers') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml index 746cf91960e..e34d0202f6a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml @@ -30,14 +30,12 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83398-8 cce@sle15: CCE-83271-7 references: disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040110 - stigid@rhel7: RHEL-07-040110 stigid@sle15: SLES-15-010160 stigid@ubuntu2004: UBTU-20-010044 stigid@ubuntu2204: UBTU-22-255050 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml index 645e62cae56..f13ba1b93dd 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh index 63722838e6b..c6f253b9dd3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,\ diffie-hellman-group-exchange-sha256" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml index 122a0a80e36..1237d53114a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml @@ -6,7 +6,7 @@ "diffie-hellman-group14-sha256","diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512"] %}} {{% set sufix_conf="(\s.*)?'" %}} -{{% elif product in ['ol7','rhel7','sle12','sle15','ubuntu2004'] %}} +{{% elif product in ['ol7', 'sle12','sle15','ubuntu2004'] %}} {{% set path='/etc/ssh/sshd_config' %}} {{% set prefix_conf="^\s*KexAlgorithms\s*" %}} {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521", diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml index 4bdf933638a..db81f3db9c9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml @@ -4,7 +4,7 @@ ",ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" ~ ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~ ",diffie-hellman-group18-sha512'" %}} -{{% elif product in ['ol7','rhel7'] %}} +{{% elif product in ['ol7'] %}} {{% set path='/etc/ssh/sshd_config' %}} {{% set conf="KexAlgorithms ecdh-sha1-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~ ",diffie-hellman-group-exchange-sha256" %}} @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86061-9 cce@rhel8: CCE-86059-3 cce@sle12: CCE-92336-7 cce@sle15: CCE-92505-7 @@ -47,7 +46,6 @@ references: srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040712 stigid@ol8: OL08-00-040342 - stigid@rhel7: RHEL-07-040712 stigid@rhel8: RHEL-08-040342 stigid@sle12: SLES-12-030270 stigid@sle15: SLES-15-040450 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh index 81a70279799..43e7736dd0f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh @@ -5,7 +5,7 @@ CONF_PREFIX="CRYPTO_POLICY='-oKexAlgorithms=" KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" CONF_SUFIX="'" CONF_PREFIX_REGEX="^\s*CRYPTO_POLICY" -{{% elif product in ['ol7','rhel7','sle12','sle15','ubuntu2004', 'ubuntu2204'] %}} +{{% elif product in ['ol7', 'sle12','sle15','ubuntu2004', 'ubuntu2204'] %}} FILE_PATH='/etc/ssh/sshd_config' FILE_PATH_CONFIGDIR='/etc/ssh/sshd_config.d' CONF_PREFIX="KexAlgorithms " diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml index 2c5cf7e1c78..e186ea31f4a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle +# platform = Oracle Linux 7,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh index b2717c8f5b8..57344cfbabd 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("sshd_approved_macs") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index db30ff8d061..5e6a3fb0ccf 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -13,7 +13,7 @@ description: |-
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
{{% endif %}} The man page sshd_config(5) contains a list of supported MACs. -{{% if product in ["rhel7","ol7"] %}} +{{% if product in ["ol7"] %}}

Only the following message authentication codes are FIPS 140-2 certified on {{{ full_name }}}:
- hmac-sha1 @@ -40,7 +40,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27455-5 cce@rhel8: CCE-82198-3 cce@sle12: CCE-83036-4 cce@sle15: CCE-91338-4 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/rhel7_correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/rhel7_correct_value.pass.sh index 4c18c748d31..f8fa7a40836 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/rhel7_correct_value.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/rhel7_correct_value.pass.sh @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # # profiles = xccdf_org.ssgproject.content_profile_cis diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml index aec4e1e4dae..e87e33dc944 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh index b7aa5097075..a2ea17f05cb 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu {{%- if 'ubuntu' in product %}} {{{ bash_instantiate_variables('sshd_approved_macs') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml index e43053b9d74..a999212de04 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml @@ -23,14 +23,12 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83636-1 cce@sle15: CCE-83280-8 references: disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123 srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040400 - stigid@rhel7: RHEL-07-040400 stigid@sle15: SLES-15-010270 stigid@ubuntu2004: UBTU-20-010043 stigid@ubuntu2204: UBTU-22-255055 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml index 8fef777e753..6fdd1f4ee2e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80223-1 cce@rhel8: CCE-80908-7 cce@rhel9: CCE-88822-2 cce@sle12: CCE-83061-2 @@ -36,7 +35,6 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040460 - stigid@rhel7: RHEL-07-040460 stigid@sle12: SLES-12-030240 stigid@sle15: SLES-15-040270 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml index e8595c8deea..2252077b7e3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82363-3 cce@sle12: CCE-92279-9 cce@sle15: CCE-91395-4 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml index 4b00f39ee86..7944d6112d8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86090-8 cce@rhel8: CCE-86518-8 cce@rhel9: CCE-86768-9 cce@sle12: CCE-92339-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/bad_kex_rhel7_cis.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/bad_kex_rhel7_cis.fail.sh deleted file mode 100644 index ab7cebb0c47..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/bad_kex_rhel7_cis.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 -# profiles = xccdf_org.ssgproject.content_profile_cis - -sed -i 's/^\s*KexAlgorithms\s.*//i' /etc/ssh/sshd_config -echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_rhel7_cis.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_rhel7_cis.pass.sh deleted file mode 100644 index 8fe980559df..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_rhel7_cis.pass.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 -# profiles = xccdf_org.ssgproject.content_profile_cis - -sed -i 's/^\s*KexAlgorithms\s.*//i' /etc/ssh/sshd_config -echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_strict_rhel7_cis.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_strict_rhel7_cis.pass.sh deleted file mode 100644 index 56421d53d75..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/good_kex_strict_rhel7_cis.pass.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 -# profiles = xccdf_org.ssgproject.content_profile_cis - -sed -i 's/^\s*KexAlgorithms\s.*//i' /etc/ssh/sshd_config -echo "KexAlgorithms curve25519-sha256" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/mixed_kex_rhel7_cis.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/mixed_kex_rhel7_cis.fail.sh deleted file mode 100644 index 80603558a70..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/mixed_kex_rhel7_cis.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = Red Hat Enterprise Linux 7 -# profiles = xccdf_org.ssgproject.content_profile_cis - -sed -i 's/^\s*KexAlgorithms\s.*//i' /etc/ssh/sshd_config -echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index a4621f128b3..f7bd79e6da1 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82364-1 cce@rhel8: CCE-86504-8 cce@rhel9: CCE-86769-7 cce@sle12: CCE-92280-7 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml index 3dba535612a..5d5a8311fae 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83404-4 cce@rhel8: CCE-84058-7 cce@rhel9: CCE-89105-1 cce@sle12: CCE-83228-7 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040711 stigid@ol8: OL08-00-040341 - stigid@rhel7: RHEL-07-040711 stigid@rhel8: RHEL-08-040341 stigid@sle12: SLES-12-030261 stigid@ubuntu2004: UBTU-20-010049 diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 0f5ef88db44..cedfd6a852e 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -15,7 +15,6 @@ options: stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com stig_rhel9: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se - cis_rhel7: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index 1947c024f81..12660e5a5c8 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -14,7 +14,6 @@ options: stig: hmac-sha2-512,hmac-sha2-256 stig_extended: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com - cis_rhel7: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_ubuntu: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var index ac25c735a77..54bc0f1a9e9 100644 --- a/linux_os/guide/services/ssh/sshd_strong_kex.var +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -13,7 +13,6 @@ interactive: false options: default: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 - cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 cis_rhel8: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 cis_rhel9: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var index 824888a7e99..fe5d6902d18 100644 --- a/linux_os/guide/services/ssh/sshd_strong_macs.var +++ b/linux_os/guide/services/ssh/sshd_strong_macs.var @@ -12,7 +12,6 @@ interactive: false options: default: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 - cis_rhel7: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml index 5f99e0fa39a..41a1e46e3c1 100644 --- a/linux_os/guide/services/sssd/group.yml +++ b/linux_os/guide/services/sssd/group.yml @@ -10,9 +10,7 @@ description: |- servers permit offline authentication as well as store extended user data.

For more information, see - {{%- if product == "rhel7" -%}} - {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}} - {{%- elif product == "rhel8" -%}} + {{%- if product == "rhel8" -%}} {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management") }}} {{%- elif product == "rhel9" -%}} {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management") }}} diff --git a/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml index ea6819504be..039d6d76860 100644 --- a/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml +++ b/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82993-7 cce@rhel8: CCE-82994-5 references: diff --git a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml index e96534e3ad1..12d47e998cc 100644 --- a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml +++ b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml @@ -12,7 +12,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80362-7 cce@rhel8: CCE-82444-1 cce@rhel9: CCE-86083-3 diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml index 63bb70ec362..1f046414e34 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml +++ b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml @@ -12,7 +12,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80363-5 cce@rhel8: CCE-82440-9 cce@rhel9: CCE-86088-2 diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml index 91e997ddb7e..b4e2daee297 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80516-8 cce@rhel8: CCE-82438-3 references: @@ -31,7 +30,6 @@ references: nist: SC-12(3),CM-6(a) srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040200 - stigid@rhel7: RHEL-07-040200 ocil_clause: 'the TLS CA cert is not configured' diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml index 034c2c04968..3cb5978efea 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80515-0 cce@rhel8: CCE-82456-5 references: diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml index f8ac222efad..63f07eb8b0e 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-84061-1 cce@rhel8: CCE-84062-9 cce@rhel9: CCE-86081-7 @@ -25,7 +24,6 @@ references: nist: SC-12(3),CM-6(a) srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040190 - stigid@rhel7: RHEL-07-040190 ocil_clause: 'the TLS reqcert is not set to demand' diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml index 5b098557468..d66af9ee73f 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80546-5 cce@rhel8: CCE-82437-5 cce@rhel9: CCE-86082-5 @@ -38,7 +37,6 @@ references: nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040180 - stigid@rhel7: RHEL-07-040180 ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''true''' diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml index dd64b76c455..2b34269ce33 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80437-7 cce@rhel8: CCE-82446-6 cce@rhel9: CCE-86087-4 @@ -36,7 +35,6 @@ references: nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@ol7: OL07-00-041002 - stigid@rhel7: RHEL-07-041002 ocil_clause: 'it does not exist or ''pam'' is not added to the ''services'' option under the ''sssd'' section' diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml index bb15da50b7b..35a5af7818d 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml @@ -38,7 +38,6 @@ severity: medium platform: machine # The check uses service_... extended definition, which doesnt support offline mode identifiers: - cce@rhel7: CCE-80570-5 cce@rhel8: CCE-80909-5 cce@rhel9: CCE-89155-6 cce@sle12: CCE-91467-1 diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh index 90321aa804c..a82d13a109c 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sssd -# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 +# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh index 2755d98bf0e..cacd05850f3 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sssd -# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 +# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh index d1bac35ca13..55f51c86d7b 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sssd -# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 +# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4 SSSD_FILE="/etc/sssd/sssd.conf" rm -f $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh index 4e9f1c6c638..efd43cde538 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sssd -# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 +# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml index f66a0826d9b..2a93eb787b2 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml @@ -24,7 +24,6 @@ severity: medium platform: machine # The check uses service_... extended definition, which doesnt support offline mode identifiers: - cce@rhel7: CCE-80364-3 cce@rhel8: CCE-80910-3 cce@sle12: CCE-83040-6 cce@sle15: CCE-83295-6 diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml index 2d01fec0063..09d5f16f818 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml @@ -29,7 +29,6 @@ severity: medium platform: machine # The check uses service_... extended definition, which doesnt support offline mode identifiers: - cce@rhel7: CCE-80365-0 cce@rhel8: CCE-82460-7 cce@rhel9: CCE-87996-5 cce@sle12: CCE-83206-3 diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml index 3ea8a8d8130..fb21708911b 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml @@ -22,7 +22,6 @@ severity: medium platform: machine # The check uses service_... extended definition, which doesnt support offline mode identifiers: - cce@rhel7: CCE-80366-8 cce@rhel8: CCE-82442-5 references: diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index fdfbf27e7ce..47fc340c332 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -39,7 +39,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82524-0 - cce@rhel7: CCE-82960-6 cce@rhel8: CCE-82959-8 cce@rhel9: CCE-84203-9 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 6ab6a5ec519..1a37f6dd576 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27218-7 cce@rhel8: CCE-82757-6 cce@rhel9: CCE-84104-9 cce@sle12: CCE-92241-9 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda index d7b3f116804..98badb7903f 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda @@ -1,3 +1,3 @@ # platform = multi_platform_all -package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils {{{ "--remove=xorg-x11-server-Xwayland" if product not in ["rhel7", "ol7"] }}} +package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils {{{ "--remove=xorg-x11-server-Xwayland" if product not in ["ol7"] }}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml index a5ff9b07bfa..d07c9a840b5 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Oracle Linux 7,Oracle Linux 8 +# platform = Red Hat Enterprise Linux 8,Oracle Linux 7,Oracle Linux 8 # reboot = true # strategy = restrict # complexity = low @@ -10,7 +10,7 @@ - xorg-x11-server-Xorg - xorg-x11-server-common - xorg-x11-server-utils -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} - xorg-x11-server-Xwayland {{% endif %}} state: absent diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh index 496dc74be7c..71bdd2de1e8 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh @@ -9,6 +9,6 @@ {{{ bash_package_remove("xorg-x11-server-Xorg") }}} {{{ bash_package_remove("xorg-x11-server-utils") }}} {{{ bash_package_remove("xorg-x11-server-common") }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ bash_package_remove("xorg-x11-server-Xwayland") }}} {{% endif %}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml index 0868ec6eae7..3d3c64b9454 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml @@ -8,7 +8,7 @@ definition_ref="package_xorg-x11-server-common_removed" /> -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{% endif %}} @@ -17,7 +17,7 @@ {{{ oval_test_package_removed(package='xorg-x11-server-Xorg', test_id='package_xorg-x11-server-Xorg_removed') }}} {{{ oval_test_package_removed(package='xorg-x11-server-utils', test_id='package_xorg-x11-server-utils_removed') }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ oval_test_package_removed(package='xorg-x11-server-Xwayland', test_id='package_xorg-x11-server-Xwayland_removed') }}} {{% endif %}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml index f6c16152982..2933a2e8893 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml @@ -5,7 +5,7 @@ title: 'Disable graphical user interface' description: |- By removing the following packages, the system no longer has X Windows installed. - {{% if product in ["rhel7", "ol7"] %}} + {{% if product in ["ol7"] %}} xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils {{% else %}} xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland @@ -13,7 +13,7 @@ description: |- If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: - {{% if product in ["rhel7", "ol7"] %}} + {{% if product in ["ol7"] %}}
sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
{{% else %}}
sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
@@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83410-1 cce@rhel8: CCE-83411-9 cce@rhel9: CCE-84106-4 cce@sle12: CCE-92242-7 @@ -40,14 +39,13 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040730 stigid@ol8: OL08-00-040320 - stigid@rhel7: RHEL-07-040730 stigid@rhel8: RHEL-08-040320 ocil_clause: 'xorg related packages are not removed and run level is not correctly configured' ocil: |- To ensure the X Windows package group is removed, run the following command: - {{% if product in ["rhel7", "ol7"] %}} + {{% if product in ["ol7"] %}}
$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
{{% else %}}
$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
@@ -57,7 +55,7 @@ ocil: |- fixtext: |- To ensure the X Windows package group is removed, run the following command: - {{% if product in ["rhel7", "ol7"] %}} + {{% if product in ["ol7"] %}}
$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
{{% else %}} {{{ package_remove("xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland") }}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh index b3908cff002..87453bad1ac 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh @@ -3,6 +3,6 @@ {{{ bash_package_install("xorg-x11-server-Xorg") }}} {{{ bash_package_install("xorg-x11-server-utils") }}} {{{ bash_package_install("xorg-x11-server-common") }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ bash_package_install("xorg-x11-server-Xwayland") }}} {{% endif %}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh index abafdbd624a..67f1b0f18a9 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh @@ -4,13 +4,13 @@ {{{ bash_package_install("xorg-x11-server-Xorg") }}} {{{ bash_package_install("xorg-x11-server-utils") }}} {{{ bash_package_install("xorg-x11-server-common") }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ bash_package_install("xorg-x11-server-Xwayland") }}} {{% endif %}} {{{ bash_package_remove("xorg-x11-server-Xorg") }}} {{{ bash_package_remove("xorg-x11-server-utils") }}} {{{ bash_package_remove("xorg-x11-server-common") }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ bash_package_remove("xorg-x11-server-Xwayland") }}} {{% endif %}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh index a403e108082..a9abbdd307a 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh @@ -3,6 +3,6 @@ {{{ bash_package_remove("xorg-x11-server-Xorg") }}} {{{ bash_package_remove("xorg-x11-server-utils") }}} {{{ bash_package_remove("xorg-x11-server-common") }}} -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product not in ["ol7"] %}} {{{ bash_package_remove("xorg-x11-server-Xwayland") }}} {{% endif %}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml index fc3356a15bb..dac0c0b8dda 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27285-6 cce@rhel8: CCE-83380-6 cce@rhel9: CCE-84105-6 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh index 33bb72648b7..e0bdca6be1f 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = Oracle Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_sle systemctl set-default multi-user.target diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh index 24c31a0dc5c..9ec0cae9357 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = Oracle Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_sle ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh index 57c1de2de93..3df966d45bd 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = Oracle Linux 8,multi_platform_fedora,multi_platform_rhel,multi_platform_rhv,multi_platform_sle systemctl set-default graphical.target diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh index 83f849522a6..d3da2f1132d 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = Oracle Linux 8,multi_platform_fedora,multi_platform_rhel,multi_platform_rhv,multi_platform_sle ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml index 933d4c7efdc..d152f2cf405 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -95,7 +95,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82555-4 - cce@rhel7: CCE-27303-7 cce@rhel8: CCE-80763-6 cce@rhel9: CCE-83557-9 cce@sle12: CCE-83054-7 @@ -120,7 +119,6 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088 stigid@ol7: OL07-00-010050 stigid@ol8: OL08-00-010060 - stigid@rhel7: RHEL-07-010050 stigid@rhel8: RHEL-08-010060 stigid@sle12: SLES-12-010030 stigid@sle15: SLES-15-010020 diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml index b420a03b002..4fe0d2ab77c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -48,7 +48,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86146-8 cce@rhel8: CCE-86147-6 cce@rhel9: CCE-86148-4 cce@sle12: CCE-92228-6 diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml index 3992fc2eda3..9b5a4897cef 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -48,7 +48,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83394-7 cce@rhel8: CCE-83496-0 cce@rhel9: CCE-83559-5 cce@sle12: CCE-92227-8 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml index 3f311fffed7..7999ddb35ec 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83707-0 cce@rhel8: CCE-83708-8 cce@rhel9: CCE-86699-6 cce@sle12: CCE-92233-6 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml index 34a6edf1bdb..a180a1bc3ce 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86050-2 cce@rhel8: CCE-86051-0 cce@rhel9: CCE-86052-8 cce@sle12: CCE-92236-9 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml index d6c18243451..c24b3157971 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83727-8 cce@rhel8: CCE-83728-6 cce@rhel9: CCE-86697-0 cce@sle12: CCE-92230-2 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml index 58d6157ad82..c612bf5827f 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83717-9 cce@rhel8: CCE-83718-7 cce@rhel9: CCE-86700-2 cce@sle12: CCE-92234-4 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml index c1a771b5fe2..39c0ff61d4b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86053-6 cce@rhel8: CCE-86054-4 cce@rhel9: CCE-86057-7 cce@sle12: CCE-92237-7 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml index d16b70e0aa3..56455b5bcd0 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83737-7 cce@rhel8: CCE-83738-5 cce@rhel9: CCE-86698-8 cce@sle12: CCE-92231-0 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml index ae15f437543..92dadaafbcc 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83347-5 cce@rhel8: CCE-83348-3 cce@rhel9: CCE-83551-2 cce@sle12: CCE-92232-8 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml index a2a284ce24d..1b9adb8c6ce 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86058-5 cce@rhel8: CCE-86047-8 cce@rhel9: CCE-86048-6 cce@sle12: CCE-92235-1 diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml index 30a026dfc24..c9a2f307893 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83337-6 cce@rhel8: CCE-83338-4 cce@rhel9: CCE-83554-6 cce@sle12: CCE-92229-4 diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index 84a4a03485a..2fd01f71f07 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26970-4 cce@rhel8: CCE-80768-5 cce@rhel9: CCE-87599-7 cce@sle12: CCE-83005-9 @@ -54,7 +53,6 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088 stigid@ol7: OL07-00-010030 stigid@ol8: OL08-00-010049 - stigid@rhel7: RHEL-07-010030 stigid@rhel8: RHEL-08-010049 stigid@sle12: SLES-12-010040 stigid@sle15: SLES-15-010080 diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml index c4653647ca7..3acfead8148 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml @@ -34,7 +34,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26892-0 cce@rhel8: CCE-80770-1 cce@rhel9: CCE-86529-5 cce@sle12: CCE-83007-5 @@ -58,7 +57,6 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088 stigid@ol7: OL07-00-010040 stigid@ol8: OL08-00-010050 - stigid@rhel7: RHEL-07-010040 stigid@rhel8: RHEL-08-010050 stigid@sle12: SLES-12-010050 stigid@sle15: SLES-15-010090 diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh index fd8e2c1575e..1b2e46eff9b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel # profiles = xccdf_org.ssgproject.content_profile_ncp # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh index 2f9826489ea..a3e7ebc0e55 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh index 555e05c311b..4af47e3e0fd 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh index a9def9bfb3f..e1abf408e1e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh index 1c493c6c144..38b8ee45b0a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_ncp # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh index 8d19f537fb4..785f8f9538d 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_ncp # packages = dconf,gdm diff --git a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml index 2c5fbef58f3..1a106722205 100644 --- a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86408-2 cce@rhel8: CCE-86319-1 cce@rhel9: CCE-85967-8 cce@sle12: CCE-83250-1 @@ -29,7 +28,6 @@ references: srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@ol7: OL07-00-010344 stigid@ol8: OL08-00-010385 - stigid@rhel7: RHEL-07-010344 stigid@rhel8: RHEL-08-010385 stigid@sle12: SLES-12-010114 stigid@sle15: SLES-15-020104 diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml index d897045e3b9..3116cd23335 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml @@ -32,7 +32,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27275-7 cce@rhel8: CCE-80788-3 cce@rhel9: CCE-83560-3 cce@sle12: CCE-83149-5 @@ -53,7 +52,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040530 stigid@ol8: OL08-00-020340 - stigid@rhel7: RHEL-07-040530 stigid@rhel8: RHEL-08-020340 stigid@sle12: SLES-12-010390 stigid@sle15: SLES-15-020080 diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/commented_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/commented_line.fail.sh index d652af8c0bb..565664230a8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/commented_line.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/commented_line.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7 {{%- if "sle" in product or "ubuntu" in product %}} {{% set pam_lastlog_path = "/etc/pam.d/login" %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_showfailed.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_showfailed.fail.sh index e2147164338..ae52dc89c56 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_showfailed.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_showfailed.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7 {{%- if "sle" in product or "ubuntu" in product %}} {{% set pam_lastlog_path = "/etc/pam.d/login" %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/silent_present.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/silent_present.fail.sh index 9609f879164..b9b3f6f9030 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/silent_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/silent_present.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7 {{%- if "sle" in product or "ubuntu" in product %}} {{% set pam_lastlog_path = "/etc/pam.d/login" %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/wrong_value.fail.sh index 34e1045a90e..5b2d97286f9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7 {{%- if "sle" in product or "ubuntu" in product %}} {{% set pam_lastlog_path = "/etc/pam.d/login" %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/ansible/shared.yml index 7144a4e5291..3b6df64d6b5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/bash/shared.sh index 9c752e0526d..28062890db6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then echo "session required pam_namespace.so" >> "/etc/pam.d/login" fi diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml index 2fdad01aecc..ff132b1bf94 100644 --- a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-83743-5 cce@rhel8: CCE-83744-3 cce@sle12: CCE-91505-8 cce@sle15: CCE-91196-6 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml index 20835ee9b59..38cd8be407f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -7,7 +7,7 @@ description: |- Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

- {{% if product in ["ol7", "rhel7"] %}} + {{% if product in ["ol7"] %}} In the file /etc/pam.d/password-auth, make sure the parameter remember is present and it has a value equal to or greater than {{{ xccdf_value("var_password_pam_remember") }}} @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83476-2 cce@rhel8: CCE-83478-8 cce@rhel9: CCE-86354-8 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000077-GPOS-00045 stigid@ol7: OL07-00-010270 stigid@ol8: OL08-00-020220 - stigid@rhel7: RHEL-07-010270 stigid@rhel8: RHEL-08-020220 ocil_clause: |- @@ -74,7 +72,7 @@ ocil: |-
$ grep pam_pwhistory.so /etc/pam.d/password-auth
     password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}
- {{% if product not in ["ol7", "rhel7"] %}} + {{% if product not in ["ol7"] %}} Verify the "/etc/security/pwhistory.conf" file using the following command:
$ grep remember /etc/security/pwhistory.conf
@@ -87,7 +85,7 @@ fixtext: |-
     Configure the {{{ full_name }}} system-auth file to use "pam_pwhistory.so" module and prohibit
     password reuse for a minimum of {{{ xccdf_value("var_password_pam_remember") }}} generations.
 
-    {{% if product in ["ol7", "rhel7"] %}}
+    {{% if product in ["ol7"] %}}
     Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value):
     
password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}} retry=3
{{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/argument_missing.fail.sh index 1e68c44591f..7262710aa84 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/argument_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7, Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam config_file=/etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/correct_value.pass.sh index 3779eb829a4..ba9383b9482 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh index 2399061d930..88e3edeccc1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis remember_cnt=24 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_control.fail.sh index 41ab13055d5..30ce0fa19f3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_value.fail.sh index 583e49937ef..f49be032474 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml index 83841d1421d..0d1763a2ad5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml @@ -7,7 +7,7 @@ description: |- Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

- {{% if product in ["ol7", "rhel7"] %}} + {{% if product in ["ol7"] %}} In the file /etc/pam.d/system-auth, make sure the parameter remember is present and it has a value equal to or greater than {{{ xccdf_value("var_password_pam_remember") }}} @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83479-6 cce@rhel8: CCE-83480-4 cce@rhel9: CCE-89176-2 @@ -56,7 +55,6 @@ references: srg: SRG-OS-000077-GPOS-00045 stigid@ol7: OL07-00-010270 stigid@ol8: OL08-00-020221 - stigid@rhel7: RHEL-07-010270 stigid@rhel8: RHEL-08-020221 ocil_clause: |- @@ -74,7 +72,7 @@ ocil: |-
$ grep pam_pwhistory.so /etc/pam.d/system-auth
     password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}
- {{% if product not in ["ol7", "rhel7"] %}} + {{% if product not in ["ol7"] %}} Verify the "/etc/security/pwhistory.conf" file using the following command:
$ grep remember /etc/security/pwhistory.conf
@@ -87,7 +85,7 @@ fixtext: |-
     Configure the {{{ full_name }}} system-auth file to use "pam_pwhistory.so" module and prohibit
     password reuse for a minimum of {{{ xccdf_value("var_password_pam_remember") }}} generations.
 
-    {{% if product in ["ol7", "rhel7"] %}}
+    {{% if product in ["ol7"] %}}
     Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value):
     
password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}} retry=3
{{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/argument_missing.fail.sh index 9e10245984d..fd2b6f76532 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/argument_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam config_file=/etc/pam.d/system-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/correct_value.pass.sh index c9f0c52b054..7114616941d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh index 357313caa27..833e9fd5915 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis remember_cnt=24 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_control.fail.sh index 447d0896bdd..6d06e51e6e2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_value.fail.sh index 94432b6cc4a..358999ac422 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index 99fb2b5abfa..4c1e45efb02 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82030-8 cce@rhel8: CCE-80666-1 cce@rhel9: CCE-83584-3 cce@sle12: CCE-92217-9 @@ -53,7 +52,7 @@ ocil: |- The output should show the following at the end of the line:
remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
- {{% if product not in ["ol7", "rhel7"] %}} + {{% if product not in ["ol7"] %}} In newer systems, the pam_pwhistory PAM module options can also be set in "/etc/security/pwhistory.conf" file. Use the following command to verify:
$ grep remember /etc/security/pwhistory.conf
@@ -75,7 +74,7 @@ fixtext: |-
     
password requisite pam_pwhistory.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
- {{% if product not in ["ol7", "rhel7"] %}} + {{% if product not in ["ol7"] %}} If the pam_pwhistory.so module is used and the /etc/security/pwhistory.conf file is present in the system, use it to set the "remember" option:
remember = {{{ xccdf_value("var_password_pam_remember") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh index 7ac0e0b74d5..a2b834282ff 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle {{% if product in [ "sle12", "sle15" ] %}} for auth_file in common-password password-auth; do diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh index 782241681c2..718e601ba7b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle # variables = var_password_pam_unix_remember=5 remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh index b358dedb6f6..70facde801c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle # variables = var_password_pam_unix_remember=5 remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index dd724d1625d..dfef7e94f66 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -8,17 +8,10 @@ description: |- using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. - {{% if product in ["rhel7"] %}} - Ensure that pam_faillock.so module entries in - /etc/pam.d/password-auth and /etc/pam.d/system-auth are - followed by the assignment deny=<count> where count should be less than or equal to - {{{xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0. - {{% else %}} Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0. - {{% endif %}} {{% if 'ubuntu' not in product and 'debian' not in product %}} In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, @@ -33,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27350-8 cce@rhel8: CCE-80667-9 cce@rhel9: CCE-83587-6 cce@sle15: CCE-85842-3 @@ -56,7 +48,6 @@ references: srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@ol7: OL07-00-010320 stigid@ol8: OL08-00-020010,OL08-00-020011 - stigid@rhel7: RHEL-07-010320 stigid@rhel8: RHEL-08-020011 stigid@ubuntu2004: UBTU-20-010072 stigid@ubuntu2204: UBTU-22-411045 @@ -71,51 +62,17 @@ ocil: |- Verify {{{ full_name }}} is configured to lock an account after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts with the command: - {{% if product in ["rhel7"] %}} -
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
- For each file, the output should show deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}. - {{% else %}}
$ grep 'deny =' /etc/security/faillock.conf
deny = {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}. - {{% endif %}} fixtext: |- Configure {{{ full_name }}} to lock an account when {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts occur. First enable the feature using the following command: - {{% if product in ["rhel7"] %}} - $ sudo authconfig --enablefaillock --update - - Then modify the content of both /etc/pam.d/system-auth and - /etc/pam.d/password-auth as follows: - edit the deny parameter in the following line before the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- - edit the deny parameter in the following line after the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% elif 'ubuntu' in product or 'debian' in product %}} - Edit /etc/pam.d/common-auth and ensure that faillock is configured. - The pam_faillock.so lines surround the pam_unix.so line. The comment - "Added to enable faillock" is shown to highlight the additional lines - and their order in the file. -
auth required pam_faillock.so preauth # Added to enable faillock
-         auth [success=1 default=ignore] pam_unix.so nullok
-         auth [default=die] pam_faillock.so authfail # Added to enable faillock
-         auth sufficient pam_faillock.so authsucc # Added to enable faillock
-    
- Edit /etc/pam.d/common-account and ensure that the following stanza - is at the end of the file. -
account required pam_faillock.so
- Then edit the /etc/security/faillock.conf file as follows: - deny = {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} - {{% else %}} $ sudo authselect enable-feature with-faillock Then edit the /etc/security/faillock.conf file as follows: deny = {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} - {{% endif %}} warnings: - general: |- diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh index 579e5670ea1..67c1b593bdb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_deny=3 if [ -f /usr/sbin/authconfig ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh index 24936609706..bbf97fa2ac0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=3" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh index 34405f59422..cb1ca930499 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=5" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index dbc12db6b9f..51d94b3333b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # remediation = none # variables = var_accounts_passwords_pam_faillock_deny=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh index b780f320362..e3ec96da080 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,11 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect # remediation = none -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_deny=3 # This test scenario manually modify the pam_faillock.so entries in auth section from diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh index 03f93edaa4f..54729a3144b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=2" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index b744f39bef0..895c11c1ab9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80353-6 cce@rhel8: CCE-80668-7 cce@rhel9: CCE-83589-2 cce@sle12: CCE-91468-9 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@ol7: OL07-00-010330 stigid@ol8: OL08-00-020022,OL08-00-020023 - stigid@rhel7: RHEL-07-010330 stigid@rhel8: RHEL-08-020023 {{% if product == "rhel8" %}} @@ -53,37 +51,20 @@ ocil: |- Verify {{{ full_name }}} is configured to lock the root account after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts with the command: - {{% if product in ["rhel7"] %}} -
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
- For each file, the output should contain even_deny_root. - {{% else %}}
$ grep even_deny_root /etc/security/faillock.conf
even_deny_root - {{% endif %}} + fixtext: |- Configure {{{ full_name }}} to lock out the root account after a number of incorrect login attempts using pam_faillock.so, first enable the feature using the following command: - {{% if product in ["rhel7"] %}} - $ sudo authconfig --enablefaillock --update - - Then modify the content of both /etc/pam.d/system-auth and - /etc/pam.d/password-auth as follows: - include the even_deny_root parameter in the following line before the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} even_deny_root
- - include the even_deny_root parameter in the following line after the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} even_deny_root
- {{% else %}} $ sudo authselect enable-feature with-faillock Then edit the /etc/security/faillock.conf file as follows: add or uncomment the following line:
even_deny_root
- {{% endif %}} + platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_disabled.fail.sh index cab25d7aeb7..ff59a9dd993 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_disabled.fail.sh @@ -1,9 +1,6 @@ #!/bin/bash -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} + if [ -f /usr/sbin/authconfig ]; then authconfig --disablefaillock --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_pam_files.pass.sh index 101cd67cb90..a58ae82377d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_pam_files.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora authconfig --enablefaillock --faillockargs="even_deny_root" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index 4ae483a2931..5aa61d4f4a9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # remediation = none authconfig --enablefaillock --faillockargs="even_deny_root" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_not_required_pam_files.fail.sh index a43de72f15b..c4558acd76c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,9 +1,5 @@ #!/bin/bash -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # remediation = none # This test scenario manually modify the pam_faillock.so entries in auth section from diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index 7d785f2d9a3..cd097042857 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -7,16 +7,10 @@ description: |- Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. - {{% if product in ["rhel7"] %}} - Ensure that pam_faillock.so module entries in - /etc/pam.d/password-auth and /etc/pam.d/system-auth are - followed by the assignment - fail_interval=<interval-in-seconds> where - interval-in-seconds is {{{xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. - {{% else %}} + Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. - {{% endif %}} + {{% if 'ubuntu' not in product and 'debian' not in product %}} In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, @@ -31,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27297-1 cce@rhel8: CCE-80669-5 cce@rhel9: CCE-83583-5 cce@sle15: CCE-91169-3 @@ -51,7 +44,6 @@ references: srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@ol7: OL07-00-010320 stigid@ol8: OL08-00-020012,OL08-00-020013 - stigid@rhel7: RHEL-07-010320 stigid@rhel8: RHEL-08-020012,RHEL-08-020013 stigid@ubuntu2004: UBTU-20-010072 stigid@ubuntu2204: UBTU-22-411045 @@ -64,37 +56,21 @@ ocil_clause: |- ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: - {{% if product in ["rhel7"] %}} -
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
- For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. - {{% else %}} +
$ grep fail_interval /etc/security/faillock.conf
The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. - {{% endif %}} + fixtext: |- Configure {{{ full_name }}} to lock out an account after a number of incorrect login attempts within 15 minutes using pam_faillock.so. First enable the feature using the following command: - {{% if product in ["rhel7"] %}} - $ sudo authconfig --enablefaillock --update - - Then modify the content of both /etc/pam.d/system-auth and - /etc/pam.d/password-auth as follows: - edit the fail_interval parameter in the following line before the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- - edit the deny parameter in the following line after the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% else %}} $ sudo authselect enable-feature with-faillock Then edit the /etc/security/faillock.conf file as follows:
fail_interval = {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% endif %}} + checktext: |- Verify {{{ full_name }}} locks an account after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh index 59daba0dd88..9d4320fbb4e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_fail_interval=900 if [ -f /usr/sbin/authconfig ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh index 2b371999dda..552078405cc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authconfig --enablefaillock --faillockargs="fail_interval=900" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh index 226d7272dbb..f1d331f5da1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authconfig --enablefaillock --faillockargs="fail_interval=300" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index 22e385c1067..eaf164272ad 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # remediation = none # variables = var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh index 95ad6203709..30e04472962 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # remediation = none # variables = var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh index d616f5ddd88..3697ba2b0d9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authconfig --enablefaillock --faillockargs="fail_interval=1200" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index e20bb698663..61007542de1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -7,17 +7,9 @@ description: |- This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. - {{% if product in ["rhel7"] %}} - Ensure that pam_faillock.so module entries in - /etc/pam.d/password-auth and /etc/pam.d/system-auth are - followed by the assignment - unlock_time=<interval-in-seconds> where - interval-in-seconds is {{{xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} or greater. - {{% else %}} Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is {{{xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} or greater. - {{% endif %}} pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, @@ -35,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26884-7 cce@rhel8: CCE-80670-3 cce@rhel9: CCE-83588-4 cce@sle15: CCE-85841-5 @@ -58,7 +49,6 @@ references: srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@ol7: OL07-00-010320 stigid@ol8: OL08-00-020014,OL08-00-020015 - stigid@rhel7: RHEL-07-010320 stigid@rhel8: RHEL-08-020014,RHEL-08-020015 stigid@ubuntu2004: UBTU-20-010072 stigid@ubuntu2204: UBTU-22-411045 @@ -74,38 +64,19 @@ ocil: |- after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts with the command: - {{% if product in ["rhel7"] %}} -
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
- For each file, the output should show unlock_time=<interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} or greater. - {{% else %}}
$ grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = {{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} - {{% endif %}} + fixtext: |- Configure {{{ full_name }}} to lock an account until released by an administrator after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts with the command: - {{% if product in ["rhel7"] %}} - First make sure the feature is enabled: - $ sudo authconfig --enablefaillock --update - - Then modify the content of both /etc/pam.d/system-auth and - /etc/pam.d/password-auth as follows: - edit the unlock_time parameter in the following line before the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- - edit the deny parameter in the following line after the pam_unix.so - statement in the auth section, like this: -
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% else %}} $ sudo authselect enable-feature with-faillock Then edit the /etc/security/faillock.conf file as follows:
unlock_time = {{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}
- {{% endif %}} srg_requirement: |- {{{ full_name }}} must maintain an account lock until the locked account is released by an administrator. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh index 1be527fa204..bfcc7d4a43c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_unlock_time=600 if [ -f /usr/sbin/authconfig ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh index 6e3d3070741..643f503f1ac 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authconfig --enablefaillock --faillockargs="unlock_time=600" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh index 01fefbd210e..a45ea873de1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authconfig --enablefaillock --faillockargs="unlock_time=300" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index a59ab09d300..d7d727671b4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # remediation = none # variables = var_accounts_passwords_pam_faillock_unlock_time=600 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh index e271e268980..eff1bd32c19 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # remediation = none # variables = var_accounts_passwords_pam_faillock_unlock_time=600 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh index edc47ef1344..3db1d3acf87 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authconfig --enablefaillock --faillockargs="unlock_time=900" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml index 544f370e22c..7750d662acd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86224-3 cce@rhel8: CCE-86225-0 cce@rhel9: CCE-86226-8 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index 1aca3efe64f..83b78658e2e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27214-6 cce@rhel8: CCE-80653-9 cce@rhel9: CCE-83566-0 cce@sle12: CCE-92284-9 @@ -48,7 +47,6 @@ references: srg: SRG-OS-000071-GPOS-00039 stigid@ol7: OL07-00-010140 stigid@ol8: OL08-00-020130 - stigid@rhel7: RHEL-07-010140 stigid@rhel8: RHEL-08-020130 stigid@ubuntu2004: UBTU-20-010052 stigid@ubuntu2204: UBTU-22-611020 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml index 1f0b9b186d9..c5f05da7c8f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87158-2 cce@rhel8: CCE-86233-4 cce@rhel9: CCE-88413-0 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml index a615793c2c5..74a45fbdf41 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -29,7 +29,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82020-9 cce@rhel8: CCE-80654-7 cce@rhel9: CCE-83564-5 @@ -46,7 +45,6 @@ references: srg: SRG-OS-000072-GPOS-00040 stigid@ol7: OL07-00-010160 stigid@ol8: OL08-00-020170 - stigid@rhel7: RHEL-07-010160 stigid@rhel8: RHEL-08-020170 stigid@ubuntu2004: UBTU-20-010053 stigid@ubuntu2204: UBTU-22-611040 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index 9f4b51c3ba4..6bde0918a99 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27345-8 cce@rhel8: CCE-80655-4 cce@rhel9: CCE-83570-2 cce@sle12: CCE-91477-0 @@ -48,7 +47,6 @@ references: srg: SRG-OS-000070-GPOS-00038 stigid@ol7: OL07-00-010130 stigid@ol8: OL08-00-020120 - stigid@rhel7: RHEL-07-010130 stigid@rhel8: RHEL-08-020120 stigid@ubuntu2004: UBTU-20-010051 stigid@ubuntu2204: UBTU-22-611015 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml index 97e0e2da970..03c58431f4c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27512-3 cce@rhel8: CCE-81034-1 cce@rhel9: CCE-83575-1 @@ -38,7 +37,6 @@ references: srg: SRG-OS-000072-GPOS-00040 stigid@ol7: OL07-00-010190 stigid@ol8: OL08-00-020140 - stigid@rhel7: RHEL-07-010190 stigid@rhel8: RHEL-08-020140 ocil_clause: the value of "maxclassrepeat" is set to "0", more than "{{{ xccdf_value("var_password_pam_maxclassrepeat") }}}" or is commented out diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml index b9967a53c2d..c6f3135ccf5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82055-5 cce@rhel8: CCE-82066-2 cce@rhel9: CCE-83567-8 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000072-GPOS-00040 stigid@ol7: OL07-00-010180 stigid@ol8: OL08-00-020150 - stigid@rhel7: RHEL-07-010180 stigid@rhel8: RHEL-08-020150 ocil_clause: the value of "maxrepeat" is set to more than "{{{ xccdf_value("var_password_pam_maxrepeat") }}}" or is commented out diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index aff25f1399f..0fd82b0e250 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82045-6 cce@rhel8: CCE-82046-4 cce@rhel9: CCE-83563-7 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000072-GPOS-00040 stigid@ol7: OL07-00-010170 stigid@ol8: OL08-00-020160 - stigid@rhel7: RHEL-07-010170 stigid@rhel8: RHEL-08-020160 ocil_clause: the value of "minclass" is set to less than "{{{ xccdf_value("var_password_pam_minclass") }}}" or is commented out diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index 30512ca7e7b..ae11874218d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27293-0 cce@rhel8: CCE-80656-2 cce@rhel9: CCE-83579-3 cce@sle12: CCE-92282-3 @@ -48,7 +47,6 @@ references: srg: SRG-OS-000078-GPOS-00046 stigid@ol7: OL07-00-010280 stigid@ol8: OL08-00-020230 - stigid@rhel7: RHEL-07-010280 stigid@rhel8: RHEL-08-020230 stigid@ubuntu2004: UBTU-20-010054 stigid@ubuntu2204: UBTU-22-611035 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index 129e683c9cb..54883aed8ba 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27360-7 cce@rhel8: CCE-80663-8 cce@rhel9: CCE-83565-2 cce@sle12: CCE-92285-6 @@ -49,7 +48,6 @@ references: srg: SRG-OS-000266-GPOS-00101 stigid@ol7: OL07-00-010150 stigid@ol8: OL08-00-020280 - stigid@rhel7: RHEL-07-010150 stigid@rhel8: RHEL-08-020280 stigid@ubuntu2004: UBTU-20-010055 stigid@ubuntu2204: UBTU-22-611025 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml index aa2834ad996..3bd4daefd89 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85876-1 cce@rhel8: CCE-85877-9 cce@rhel9: CCE-85878-7 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh index b2ce1573be5..7cb1a5496e0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora config_file=/etc/pam.d/password-auth if [ $(grep -c "^\s*password.*requisite.*pam_pwquality\.so" $config_file) -eq 0 ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh index dcd48d7535b..efb1fd2ef37 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam config_file=/etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/wrong_control.fail.sh index dc2a7167f09..355ac6f4567 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/wrong_control.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora pam_file="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml index c66283c1812..914759c0d4f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85874-6 cce@rhel8: CCE-85872-0 cce@rhel9: CCE-85873-8 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh index 52b74cb16e6..f287ca59f9b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Red Hat Virtualization 4,multi_platform_fedora config_file=/etc/pam.d/password-auth if [ $(grep -c "^\s*password.*requisite.*pam_pwquality\.so" $config_file) -eq 0 ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh index 3c8f6f79fe9..9455f1f7c11 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Red Hat Virtualization 4,multi_platform_fedora # packages = pam config_file=/etc/pam.d/system-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/wrong_control.fail.sh index 3092034c30b..5d503053a4b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/wrong_control.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol pam_file="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index aa51339458f..1559bc510ca 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27160-1 cce@rhel8: CCE-80664-6 cce@rhel9: CCE-83569-4 @@ -48,7 +47,6 @@ references: srg: SRG-OS-000069-GPOS-00037,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010119 stigid@ol8: OL08-00-020102,OL08-00-020103,OL08-00-020104 - stigid@rhel7: RHEL-07-010119 stigid@rhel8: RHEL-08-020104 stigid@ubuntu2004: UBTU-20-010057 stigid@ubuntu2204: UBTU-22-611045 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh index ec1efd35cea..51e4ad0062d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh index 82b129b06d1..5d2d908e8ac 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index eddf5c0222b..816f6a6a3c2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27200-5 cce@rhel8: CCE-80665-3 cce@rhel9: CCE-83568-6 cce@sle12: CCE-92283-1 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000069-GPOS-00037,SRG-OS-000070-GPOS-00038 stigid@ol7: OL07-00-010120 stigid@ol8: OL08-00-020110 - stigid@rhel7: RHEL-07-010120 stigid@rhel8: RHEL-08-020110 stigid@ubuntu2004: UBTU-20-010050 stigid@ubuntu2204: UBTU-22-611010 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml index 06a863378f3..685afd44ee8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82038-1 cce@rhel8: CCE-80891-5 cce@rhel9: CCE-88865-1 cce@sle12: CCE-92220-3 @@ -46,7 +45,6 @@ references: pcidss: Req-8.2.1 srg: SRG-OS-000073-GPOS-00041 stigid@ol7: OL07-00-010220 - stigid@rhel7: RHEL-07-010220 ocil_clause: crypt_style is not set to sha512 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index 355df7fb0f7..b36ac37db72 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82050-6 cce@rhel8: CCE-80892-3 cce@rhel9: CCE-90590-1 cce@sle12: CCE-83029-9 @@ -43,7 +42,6 @@ references: srg: SRG-OS-000073-GPOS-00041 stigid@ol7: OL07-00-010210 stigid@ol8: OL08-00-010110 - stigid@rhel7: RHEL-07-010210 stigid@rhel8: RHEL-08-010110 stigid@sle12: SLES-12-010210 stigid@sle15: SLES-15-010260 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml index 902998cf3bf..84ddcc1dbd8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85943-9 cce@rhel8: CCE-85945-4 cce@rhel9: CCE-85946-2 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol7: OL07-00-010200 stigid@ol8: OL08-00-010160 - stigid@rhel7: RHEL-07-010200 stigid@rhel8: RHEL-08-010160 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh index c7306fe9fbc..a81d4e13cae 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora pam_file="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh index 379bee3924c..10012dbbc93 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/wrong_control.fail.sh index 417725c2eb5..1063dcf7d27 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/wrong_control.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora pam_file="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml index e8485d66c5a..39e0f3cb773 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml @@ -3,9 +3,6 @@ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}} - {{%- if product == "rhel7" %}} - - {{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index c7842eda268..ac9ab0d67e9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -45,7 +45,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82043-1 cce@rhel8: CCE-80893-1 cce@rhel9: CCE-83581-9 cce@sle12: CCE-83184-2 @@ -67,7 +66,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol7: OL07-00-010200 stigid@ol8: OL08-00-010159 - stigid@rhel7: RHEL-07-010200 stigid@rhel8: RHEL-08-010159 stigid@sle12: SLES-12-010230 stigid@sle15: SLES-15-020170 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh index 3638cb1918a..446d87f919b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu {{% if 'ubuntu' in product %}} pam_file="/etc/pam.d/common-password" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh index 1cc9da3985b..22ad6ec6158 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu {{% if 'ubuntu' in product %}} sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/common-password" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_control.fail.sh index 1e99a033e26..c740e5f9803 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_control.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora pam_file="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml index beb9c695d63..35ad841ae43 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml @@ -50,7 +50,6 @@ severity: high identifiers: cce@rhcos4: CCE-82495-3 - cce@rhel7: CCE-80449-2 cce@rhel8: CCE-80784-2 cce@rhel9: CCE-90308-8 cce@sle15: CCE-85665-8 diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index 026b64da094..882592c5a13 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -53,7 +53,6 @@ severity: high identifiers: cce@rhcos4: CCE-82493-8 - cce@rhel7: CCE-27511-5 cce@rhel8: CCE-80785-9 cce@rhel9: CCE-86667-3 cce@sle12: CCE-83018-2 @@ -75,7 +74,6 @@ references: srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020230 stigid@ol8: OL08-00-040170 - stigid@rhel7: RHEL-07-020230 stigid@rhel8: RHEL-08-040170 stigid@sle12: SLES-12-010610 stigid@sle15: SLES-15-040060 diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh index df962ec25b5..f8c47e96acc 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu systemctl disable --now ctrl-alt-del.target systemctl mask --now ctrl-alt-del.target diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh index faf4c11dcae..41eed973793 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu systemctl unmask ctrl-alt-del.target diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml index 428cea61df1..6d5247f6fc7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml @@ -29,7 +29,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82551-3 - cce@rhel7: CCE-27335-9 cce@rhel8: CCE-80826-1 cce@rhel9: CCE-87114-5 cce@sle15: CCE-91152-9 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 3366217dda3..946ba4cb0f1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82185-0 cce@rhel8: CCE-82186-8 cce@rhel9: CCE-83592-6 cce@sle12: CCE-92223-7 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/rhel7_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/rhel7_correct_value.pass.sh index e123aadbb8e..cd776541f7b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/rhel7_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/rhel7_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 service_file="/usr/lib/systemd/system/emergency.service" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml index 225a73f0b8b..94e34a0f82d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml @@ -11,8 +11,6 @@ regexp: "^#?ExecStart=" {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - {{% elif product in ["rhel7"] %}} - line: 'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' {{%- else -%}} line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' {{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh index e4624e58294..1d43e2d51dc 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh @@ -2,10 +2,8 @@ service_file="/usr/lib/systemd/system/rescue.service" -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} +{{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15",] or 'rhel' in product -%}} sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" -{{%- elif product in ["rhel7"] -%}} -sulogin='/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' {{%- else -%}} sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' {{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 121c8f619c6..582092ad081 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82550-5 - cce@rhel7: CCE-27287-2 cce@rhel8: CCE-80855-0 cce@rhel9: CCE-83594-2 cce@sle12: CCE-92324-3 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010481 stigid@ol8: OL08-00-010151 - stigid@rhel7: RHEL-07-010481 stigid@rhel8: RHEL-08-010151 ocil_clause: 'the output is different' @@ -58,9 +56,6 @@ ocil: |- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4"] -%}} ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
- {{%- elif product in ["rhel7"] -%}} - ExecStart and /usr/sbin/sulogin. -
ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- else -%}} ExecStart and /sbin/sulogin.
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/rhel7_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/rhel7_correct_value.pass.sh index a0276216020..c8f033b2a39 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/rhel7_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/rhel7_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 service_file="/usr/lib/systemd/system/rescue.service" sulogin='/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml index 5fdf522dbb3..f2612e95d2a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml @@ -22,9 +22,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-27351-6 - references: cis-csc: 1,12,15,16 cobit5: DSS05.04,DSS05.10,DSS06.10 @@ -38,7 +35,6 @@ references: ospp: FMT_MOF_EXT.1 srg: SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-010090 - stigid@rhel7: RHEL-07-010090 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml index de5155c3d05..1b08d53afb0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82963-0 cce@rhel8: CCE-80644-8 cce@rhel9: CCE-83599-1 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml index 1fe7d2299f9..e2239eb278a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml @@ -29,7 +29,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80565-5 cce@rhel8: CCE-80766-9 cce@rhel9: CCE-89122-6 cce@sle12: CCE-92221-1 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml index 062b9ef69c6..d43addc40c5 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Oracle Linux 7 +# platform = multi_platform_fedora,Oracle Linux 7 # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh index 3d912c276e7..026bab79d67 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Oracle Linux 7 +# platform = multi_platform_fedora,Oracle Linux 7 # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml index 3176673e6c0..5344869aea9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80567-1 - references: cis-csc: 1,12,15,16,5 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml index 04cccbde459..e2a98b54547 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81002-8 cce@rhel8: CCE-80821-2 cce@rhel9: CCE-89151-5 cce@sle12: CCE-92222-9 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml index 488627d9918..3d29e22e5c1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml @@ -2,7 +2,7 @@ {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc', 'coolkey'] %}} {{% elif product in ["sle15"] %}} {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc'] %}} -{{% elif product in ["rhel7", "ol7"] %}} +{{% elif product in ["ol7"] %}} {{% set smartcard_packages = ['pam_pkcs11'] %}} {{% elif 'ubuntu' in product %}} {{% set smartcard_packages = ['libpam-pkcs11'] %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index b528f45e501..1b8b10d8823 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -2,7 +2,7 @@ {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc', 'coolkey'] %}} {{% elif product in ["sle15"] %}} {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc'] %}} -{{% elif product in ["rhel7", "ol7"] %}} +{{% elif product in ["ol7"] %}} {{% set smartcard_packages = ['pam_pkcs11'] %}} {{% elif 'ubuntu' in product %}} {{% set smartcard_packages = ['libpam-pkcs11'] %}} @@ -39,7 +39,6 @@ severity: medium platform: not_s390x_arch identifiers: - cce@rhel7: CCE-80519-2 cce@rhel8: CCE-84029-8 cce@rhel9: CCE-83596-7 cce@sle12: CCE-83177-6 @@ -52,7 +51,6 @@ references: srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@ol7: OL07-00-041001 stigid@ol8: OL08-00-010390 - stigid@rhel7: RHEL-07-041001 stigid@rhel8: RHEL-08-010390 stigid@sle12: SLES-12-030500 stigid@sle15: SLES-15-010460 @@ -72,7 +70,6 @@ template: name: package_installed vars: pkgname: openssl-pkcs11 - pkgname@rhel7: pam_pkcs11 pkgname@ol7: pam_pkcs11 pkgname@ubuntu1604: libpam-pkcs11 pkgname@ubuntu1804: libpam-pkcs11 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml index cc90d14dfe7..286ff93b3e3 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80568-9 cce@rhel8: CCE-80846-9 cce@rhel9: CCE-83595-9 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml index 5ab5b292ce1..0fbd5372c22 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82347-6 cce@rhel8: CCE-80993-9 cce@rhel9: CCE-86280-5 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml index 13e9c9b9d56..3c92273dc1d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80569-7 cce@rhel8: CCE-80881-6 cce@rhel9: CCE-87907-2 cce@sle12: CCE-91646-0 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda index f60c282b82b..514444b0f25 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# platform = Oracle Linux 7 package --add=pam_pkcs11 --add=esc diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh index 2993a83499d..9ca98b9c4ae 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# platform = Oracle Linux 7 # Install required packages {{{ bash_package_install("esc") }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml index fd26ca263da..8ce67e51543 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml @@ -6,9 +6,7 @@ title: 'Enable Smart Card Login' description: |- To enable smart card authentication, consult the documentation at:
    - {{% if product == "rhel7" %}} -
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards#authconfig-smartcards") }}}
  • - {{% elif product == "ol7" %}} + {{% if product == "ol7" %}}
  • {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/userauth-AuthenticationConfiguration.html#ol7-s4-auth") }}}
  • {{% endif %}}
@@ -30,9 +28,6 @@ severity: medium platforms: - not_s390x_arch -identifiers: - cce@rhel7: CCE-80207-4 - references: cis-csc: 1,12,15,16,5 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 @@ -45,7 +40,6 @@ references: pcidss: Req-8.3 srg: SRG-OS-000104-GPOS-00051,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000108-GPOS-00057,SRG-OS-000108-GPOS-00058,SRG-OS-000109-GPOS-00056,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@ol7: OL07-00-010500 - stigid@rhel7: RHEL-07-010500 ocil_clause: 'non-exempt accounts are not using CAC authentication' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh index d321bc5a4b3..a22adcde950 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle +# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle {{{ bash_package_install("pam_pkcs11") }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml index 4b480258dbf..ba57aa26da0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml @@ -27,7 +27,6 @@ platforms: - not_s390x_arch identifiers: - cce@rhel7: CCE-80520-0 cce@rhel8: CCE-82475-5 cce@sle12: CCE-83178-4 cce@sle15: CCE-83293-1 @@ -36,7 +35,6 @@ references: disa: CCI-001948,CCI-001953,CCI-001954 srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167 stigid@ol7: OL07-00-041003 - stigid@rhel7: RHEL-07-041003 stigid@sle12: SLES-12-030510 stigid@sle15: SLES-15-010470 stigid@ubuntu2004: UBTU-20-010065 diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml index 6fefab28a0d..27965341f7d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml @@ -23,7 +23,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82496-1 - cce@rhel7: CCE-80206-6 cce@rhel8: CCE-80876-6 cce@rhel9: CCE-90724-6 cce@sle15: CCE-91421-8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index c59420812c7..58d5a07e5b0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82695-8 - cce@rhel7: CCE-27355-7 cce@rhel8: CCE-80954-1 cce@rhel9: CCE-83627-0 cce@sle12: CCE-83051-3 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000118-GPOS-00060 stigid@ol7: OL07-00-010310 stigid@ol8: OL08-00-020260 - stigid@rhel7: RHEL-07-010310 stigid@rhel8: RHEL-08-020260 stigid@sle12: SLES-12-010340 stigid@sle15: SLES-15-020050 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml index c31302b1676..f068afe81e9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88242-3 cce@rhel8: CCE-85910-8 cce@rhel9: CCE-90560-4 @@ -41,7 +40,6 @@ references: nist: AC-2(2),AC-2(3),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6 srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002 - stigid@rhel7: RHEL-07-010271 ocil_clause: 'any emergency accounts have no expiration date set or do not expire within 72 hours' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index 6ff5cfc8383..eacc69d4794 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81000-2 cce@rhel8: CCE-82474-8 cce@rhel9: CCE-90096-9 cce@sle12: CCE-83043-0 @@ -44,7 +43,6 @@ references: srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002 stigid@ol7: OL07-00-010271 stigid@ol8: OL08-00-020000,OL08-00-020270 - stigid@rhel7: RHEL-07-010271 stigid@rhel8: RHEL-08-020000,RHEL-08-020270 stigid@sle12: SLES-12-010331 stigid@sle15: SLES-15-020061 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml index 6c4767341af..8242919dbc7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml @@ -14,7 +14,6 @@ rationale: 'Unique usernames allow for accountability on the system.' severity: medium identifiers: - cce@rhel7: CCE-80208-2 cce@rhel8: CCE-80674-5 cce@rhel9: CCE-83628-8 cce@sle12: CCE-91550-4 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml index cad3ab87e25..3e6b401ff6d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86818-2 cce@sle12: CCE-92213-8 cce@sle15: CCE-91344-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index c1559b158b0..dd5741673d9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -10,7 +10,6 @@ rationale: 'To assure accountability and prevent unauthenticated access, interac severity: medium identifiers: - cce@rhel7: CCE-85857-1 cce@rhel8: CCE-89903-9 cce@rhel9: CCE-88493-2 cce@sle12: CCE-83196-6 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml index a33e5f3d4b4..88b1f0adbd3 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88380-1 cce@rhel8: CCE-85987-6 cce@rhel9: CCE-88048-4 cce@sle12: CCE-83195-8 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020270 stigid@ol8: OL08-00-020320 - stigid@rhel7: RHEL-07-020270 stigid@rhel8: RHEL-08-020320 stigid@sle12: SLES-12-010630 stigid@sle15: SLES-15-020090 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml index 7242a8c30fa..3ca41742d99 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml @@ -10,7 +10,6 @@ rationale: 'To assure accountability and prevent unauthenticated access, groups severity: medium identifiers: - cce@rhel7: CCE-86200-3 cce@rhel8: CCE-86201-1 cce@rhel9: CCE-86043-7 cce@sle12: CCE-92206-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml index f7b6f14ccb3..3b4ae8970a8 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml @@ -10,7 +10,6 @@ rationale: 'To assure accountability and prevent unauthenticated access, groups severity: medium identifiers: - cce@rhel7: CCE-86327-4 cce@rhel8: CCE-86328-2 cce@sle12: CCE-92207-0 cce@sle15: CCE-91340-0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index a3ec2a58d1b..596533df879 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27051-2 cce@rhel8: CCE-80647-1 cce@rhel9: CCE-83606-4 cce@sle12: CCE-83050-5 @@ -51,7 +50,6 @@ references: srg: SRG-OS-000076-GPOS-00044 stigid@ol7: OL07-00-010250 stigid@ol8: OL08-00-020200 - stigid@rhel7: RHEL-07-010250 stigid@rhel8: RHEL-08-020200 stigid@sle12: SLES-12-010280 stigid@sle15: SLES-15-020220 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index c9d5bd990aa..1346cebca9f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82036-5 cce@rhel8: CCE-80648-9 cce@rhel9: CCE-83610-6 cce@sle12: CCE-83042-2 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000075-GPOS-00043 stigid@ol7: OL07-00-010230 stigid@ol8: OL08-00-020190 - stigid@rhel7: RHEL-07-010230 stigid@rhel8: RHEL-08-020190 stigid@sle12: SLES-12-010260 stigid@sle15: SLES-15-020200 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 10a4ef23c17..e5b8425834e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82049-8 cce@rhel8: CCE-80652-1 cce@rhel9: CCE-83608-0 cce@sle12: CCE-83257-6 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml index a32ce4ae4ce..dc843c19cd4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml @@ -11,7 +11,7 @@ register: user_names - name: Change the maximum time period between password changes -{{% if product in ["rhel7", "ol7"] %}} +{{% if product in ["ol7"] %}} ansible.builtin.command: cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }} {{% elif product in ["sle12","sle15"] %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index 3f23b472a2c..891aaf773d6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80522-6 cce@rhel8: CCE-82473-0 cce@rhel9: CCE-86031-2 cce@sle12: CCE-83041-4 @@ -34,7 +33,6 @@ references: srg: SRG-OS-000076-GPOS-00044 stigid@ol7: OL07-00-010260 stigid@ol8: OL08-00-020210 - stigid@rhel7: RHEL-07-010260 stigid@rhel8: RHEL-08-020210 stigid@sle12: SLES-12-010290 stigid@sle15: SLES-15-020230 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml index 0960e05ace0..ebcb5ac0430 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml @@ -6,7 +6,7 @@ {{{ ansible_instantiate_variables("var_accounts_maximum_age_root") }}} - name: Change the maximum time period between password changes -{{% if product in ["rhel7", "ol7"] %}} +{{% if product in ["ol7"] %}} ansible.builtin.command: cmd: chage -M {{ var_accounts_maximum_age_root }} root {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml index 3c05944018d..6e843554728 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87665-6 cce@rhel8: CCE-87667-2 cce@rhel9: CCE-87668-0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml index da2beb59e20..2cd5c7d84a6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80521-8 cce@rhel8: CCE-82472-2 cce@rhel9: CCE-89069-9 cce@sle12: CCE-83049-7 @@ -35,7 +34,6 @@ references: srg: SRG-OS-000075-GPOS-00043 stigid@ol7: OL07-00-010240 stigid@ol8: OL08-00-020180 - stigid@rhel7: RHEL-07-010240 stigid@rhel8: RHEL-08-020180 stigid@sle12: SLES-12-010270 stigid@sle15: SLES-15-020210 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml index 55bbe1902ac..d1848c6c575 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86913-1 cce@rhel8: CCE-86914-9 cce@rhel9: CCE-86915-6 cce@sle12: CCE-92321-9 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml index 06bd9323632..7c563edda59 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82016-7 cce@rhel8: CCE-80671-1 cce@rhel9: CCE-83609-8 cce@sle12: CCE-92205-4 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml index b5f65cd9113..da78daab6a5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86757-2 cce@rhel8: CCE-86758-0 cce@rhel9: CCE-86759-8 cce@sle12: CCE-92322-7 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml index 9d0e198b8d4..809d3365d77 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27352-4 cce@rhel8: CCE-80651-3 cce@rhel9: CCE-83618-9 cce@sle12: CCE-91551-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml index b50c6a68819..0aaa8d6628d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml @@ -14,7 +14,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-86524-6 cce@rhel8: CCE-86525-3 cce@rhel9: CCE-86526-1 cce@sle12: CCE-92330-0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml index 428b3e6948f..a258cfa0298 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml @@ -34,7 +34,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-83402-8 cce@rhel8: CCE-83403-6 cce@rhel9: CCE-83615-5 cce@sle12: CCE-91470-5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/default_rounds.fail.sh index d0460cbe6de..718cd79b948 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/default_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/default_rounds.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam # variables = var_password_pam_unix_rounds=5000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/explicit_rounds.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/explicit_rounds.pass.sh index f757da452c5..46b8e6a8e0c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/explicit_rounds.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/explicit_rounds.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam pamFile="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/less_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/less_rounds.fail.sh index 861be0d9f7d..1177f101fa9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/less_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/less_rounds.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam # variables = var_password_pam_unix_rounds=5000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/wrong_control.fail.sh index abe9e1d3483..76049cb0210 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml index 2bb6c95f1fe..f5e7045a522 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml @@ -23,7 +23,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-83384-8 cce@rhel8: CCE-83386-3 cce@rhel9: CCE-83621-3 cce@sle12: CCE-91471-3 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/default_rounds.fail.sh index 026f27d50a6..460048efa7c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/default_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/default_rounds.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam # variables = var_password_pam_unix_rounds=5000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/explicit_rounds.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/explicit_rounds.pass.sh index 15b1d5acd87..0a5979bb9cd 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/explicit_rounds.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/explicit_rounds.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/less_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/less_rounds.fail.sh index abb49f818b4..baae1291f35 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/less_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/less_rounds.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # packages = pam # variables = var_password_pam_unix_rounds=5000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/wrong_control.fail.sh index 8de7be25f46..517676aeced 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = pam -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml index f1365e65ecb..9636369e1aa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-27503-2 cce@rhel8: CCE-80822-0 cce@rhel9: CCE-83613-0 cce@sle12: CCE-91552-0 @@ -36,7 +35,6 @@ references: pcidss: Req-8.5.a srg: SRG-OS-000104-GPOS-00051 stigid@ol7: OL07-00-020300 - stigid@rhel7: RHEL-07-020300 ocil_clause: 'GIDs referenced in /etc/passwd are returned as not defined in /etc/group' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index d229eaf54e6..a1f629a9dc9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -28,7 +28,6 @@ platform: machine identifiers: cce@rhcos4: CCE-82553-9 - cce@rhel7: CCE-27286-4 cce@rhel8: CCE-80841-0 cce@rhel9: CCE-83611-4 cce@sle12: CCE-83039-8 @@ -52,7 +51,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010290 stigid@ol8: OL08-00-020331,OL08-00-020332 - stigid@rhel7: RHEL-07-010290 stigid@rhel8: RHEL-08-020331,RHEL-08-020332 stigid@sle12: SLES-12-010231 stigid@sle15: SLES-15-020300 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh index 106dbe2031e..e0a57695fb1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu {{% if 'ubuntu' in product %}} sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-password diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh index fae948d041d..1f4e2b6f050 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora for pam_file in /etc/pam.d/system-auth /etc/pam.d/password-auth; do sed -i --follow-symlinks '/nullok/d' $pam_file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh index db39375754f..d39f4a897f9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu {{% if 'ubuntu' in product %}} for FILE in "/etc/pam.d/common-password"; do diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh index 0327dfe1e67..effd5b7c066 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora PASSWORD_AUTH_FILE="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index db95513ea22..50e264481d3 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -24,7 +24,6 @@ severity: high platform: machine identifiers: - cce@rhel7: CCE-86347-2 cce@rhel8: CCE-85953-8 cce@rhel9: CCE-85972-8 cce@sle12: CCE-83249-3 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010291 stigid@ol8: OL08-00-010121 - stigid@rhel7: RHEL-07-010291 stigid@rhel8: RHEL-08-010121 stigid@sle12: SLES-12-010221 stigid@sle15: SLES-15-020181 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml index b8f8b0be3d0..6bb8f7971b7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86754-9 cce@rhel8: CCE-86755-6 cce@rhel9: CCE-86756-4 cce@sle12: CCE-92349-0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml index 742eabb7951..58edc9fba28 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83388-9 cce@rhel8: CCE-83389-7 cce@rhel9: CCE-83616-3 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml index 5783082308d..15b81d4d97e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82889-7 cce@rhel8: CCE-82890-5 cce@rhel9: CCE-83620-5 cce@sle12: CCE-92286-4 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml index 309805939cc..7b33c1ac7aa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83390-5 cce@rhel8: CCE-84290-6 cce@rhel9: CCE-83612-2 cce@sle12: CCE-92289-8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml index e0a40f422fe..fd332bced1d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82667-7 - cce@rhel7: CCE-80211-6 cce@rhel8: CCE-83444-0 cce@rhel9: CCE-83617-1 cce@sle12: CCE-92368-0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index dcc311d46bc..9ccca23c9c0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -23,7 +23,6 @@ severity: high identifiers: cce@rhcos4: CCE-82699-0 - cce@rhel7: CCE-82054-8 cce@rhel8: CCE-80649-7 cce@rhel9: CCE-83624-7 cce@sle12: CCE-83020-8 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020310 stigid@ol8: OL08-00-040200 - stigid@rhel7: RHEL-07-020310 stigid@rhel8: RHEL-08-040200 stigid@sle12: SLES-12-010650 stigid@sle15: SLES-15-020100 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml index b8420dd527f..9585f7ca73c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-86296-1 cce@rhel8: CCE-86297-9 cce@rhel9: CCE-86298-7 cce@sle12: CCE-91635-3 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml index e399f479ca4..c2373a01dc9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86888-5 cce@rhel8: CCE-86071-8 cce@rhel9: CCE-86072-6 cce@sle12: CCE-92353-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml index 61862a92554..c4712ae292e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87722-5 cce@rhel8: CCE-86517-0 cce@rhel9: CCE-87101-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml index 861d620d0df..5b78cda180a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82698-2 - cce@rhel7: CCE-27294-8 cce@rhel8: CCE-80840-2 cce@rhel9: CCE-83625-4 cce@sle12: CCE-91497-8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml index 426dfffdc12..530211b2e60 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80650-5 cce@rhel8: CCE-86112-0 cce@rhel9: CCE-86113-8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_root_webbrowsing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_root_webbrowsing/rule.yml index 3a9e04ca2a0..786b8755070 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_root_webbrowsing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_root_webbrowsing/rule.yml @@ -14,9 +14,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80209-0 - ocil_clause: 'this is not the case' ocil: |- diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml index ebdb96bd5a9..cd9460766f6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -22,7 +22,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82697-4 - cce@rhel7: CCE-82015-9 cce@rhel8: CCE-80843-6 cce@rhel9: CCE-83623-9 cce@sle12: CCE-83232-9 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml index 955854d57be..c6bfbfed596 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27268-2 cce@rhel8: CCE-80856-8 cce@rhel9: CCE-83622-1 cce@sle15: CCE-91429-1 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/root_path_default/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/root_path_default/rule.yml index e0d8f462013..86b46c6add2 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/root_path_default/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/root_path_default/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80210-8 - references: cis-csc: '18' cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml index cc0f9837f2e..4b48db9193d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27318-5 cce@rhel8: CCE-80864-2 cce@rhel9: CCE-83626-2 cce@sle12: CCE-92238-5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index ef54967d283..11b23c8b1ff 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85855-5 cce@rhel8: CCE-83318-6 cce@rhel9: CCE-90085-2 cce@sle12: CCE-91633-8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml index 7ae02056973..c2d51b983f4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86886-9 cce@rhel8: CCE-86064-3 cce@rhel9: CCE-86065-0 cce@sle12: CCE-92351-6 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var index 96fddebd90d..7546f1d8617 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var @@ -26,7 +26,6 @@ options: ol8: "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$" ol9: "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|fapolicyd|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-oom|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$" ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$" - rhel7: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$" rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$" rhel9: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)$" sle12: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$" diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index e2f036e157f..33bff9201b0 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80434-4 cce@rhel8: CCE-83789-8 cce@rhel9: CCE-88983-2 cce@sle12: CCE-83053-9 @@ -29,7 +28,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020610 stigid@ol8: OL08-00-010760 - stigid@rhel7: RHEL-07-020610 stigid@rhel8: RHEL-08-010760 stigid@sle12: SLES-12-010720 stigid@sle15: SLES-15-020110 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index d224b894f81..1cb2abdc8c6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80352-8 cce@rhel8: CCE-84037-1 cce@rhel9: CCE-83635-3 cce@sle12: CCE-83028-1 @@ -31,7 +30,6 @@ references: srg: SRG-OS-000480-GPOS-00226 stigid@ol7: OL07-00-010430 stigid@ol8: OL08-00-020310 - stigid@rhel7: RHEL-07-010430 stigid@rhel8: RHEL-08-020310 stigid@sle12: SLES-12-010140 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index 81984dbae44..74013668ba0 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82041-5 cce@rhel8: CCE-80955-8 cce@rhel9: CCE-83641-1 cce@sle12: CCE-83065-3 @@ -38,7 +37,6 @@ references: srg: SRG-OS-000027-GPOS-00008 stigid@ol7: OL07-00-040000 stigid@ol8: OL08-00-020024 - stigid@rhel7: RHEL-07-040000 stigid@rhel8: RHEL-08-020024 stigid@sle12: SLES-12-010120 stigid@sle15: SLES-15-020020 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml index b3822a1ca54..82bb1fc0a16 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-83731-0 cce@rhel8: CCE-83732-8 cce@rhel9: CCE-90827-7 cce@sle12: CCE-91506-6 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml index e132ed95e65..4dd426a4dff 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-83777-3 cce@rhel8: CCE-83778-1 cce@rhel9: CCE-83642-9 cce@sle12: CCE-91507-4 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml index 7fedef9c821..6ff55cd0ec7 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml @@ -7,7 +7,7 @@ {{{ ansible_instantiate_variables("var_accounts_tmout") }}} {{% set system_configuration_using_etc_bashrc_expected = false %}} -{{% if product in ["ol7", "rhel7"] %}} +{{% if product in ["ol7"] %}} {{% set system_configuration_using_etc_bashrc_expected = true %}} {{% endif %}} @@ -28,4 +28,4 @@ register: profile_replaced {{{ ansible_lineinfile("", "/etc/profile.d/tmout.sh", regex='TMOUT=', new_line='typeset -xr TMOUT={{ var_accounts_tmout }}', - create='yes', state='present', when="profile_replaced is defined and not profile_replaced.changed" + " and bashrc_replaced is defined and not bashrc_replaced.changed" if product in ["ol7", "rhel7"]) }}} + create='yes', state='present', when="profile_replaced is defined and not profile_replaced.changed" + " and bashrc_replaced is defined and not bashrc_replaced.changed" if product in ["ol7"]) }}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh index f9a441f1326..46949d760a4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh @@ -1,7 +1,7 @@ # platform = multi_platform_all {{% set system_configuration_using_etc_bashrc_expected = false -%}} -{{% if product in ["ol7", "rhel7"] %}} +{{% if product in ["ol7"] %}} {{% set system_configuration_using_etc_bashrc_expected = true -%}} {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml index 6499ba9f171..e74106fe722 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml @@ -1,6 +1,6 @@ {{% set system_configuration_using_etc_bashrc_expected = false -%}} -{{% if product in ["ol7", "rhel7"] -%}} +{{% if product in ["ol7"] -%}} {{% set system_configuration_using_etc_bashrc_expected = true %}} {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index fe052c8c50d..404af087184 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -21,7 +21,7 @@ description: |- export TMOUT {{% else %}} setting in a file loaded by /etc/profile - {{{- "or /etc/bashrc" if product in ["ol7", "rhel7"] }}}, e.g. + {{{- "or /etc/bashrc" if product in ["ol7"] }}}, e.g. /etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
or @@ -38,7 +38,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27557-8 cce@rhel8: CCE-80673-7 cce@rhel9: CCE-83633-8 cce@sle12: CCE-83011-7 @@ -63,7 +62,6 @@ references: ospp: FMT_MOF_EXT.1 srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-040160 - stigid@rhel7: RHEL-07-040160 stigid@sle12: SLES-12-010090 stigid@sle15: SLES-15-010130 stigid@ubuntu2004: UBTU-20-010013 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_bashrc.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_bashrc.pass.sh deleted file mode 100644 index 750478d6568..00000000000 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_bashrc.pass.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# platform = Red Hat Enterprise Linux 7 -# variables = var_accounts_tmout=700 - -sed -i "/.*TMOUT.*/d" /etc/profile /etc/profile.d/*.sh /etc/bashrc - -echo "typeset -xr TMOUT=700" >> /etc/bashrc diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_bashrc.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_bashrc.fail.sh deleted file mode 100644 index 963449b74bc..00000000000 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_bashrc.fail.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# platform = Red Hat Enterprise Linux 7 -# variables = var_accounts_tmout=700 - -sed -i "/.*TMOUT.*/d" /etc/profile /etc/profile.d/*.sh /etc/bashrc - -echo "typeset -xr TMOUT=800" >> /etc/bashrc diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml index fdf5e329630..63daa13d299 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80526-7 cce@rhel8: CCE-86314-2 cce@rhel9: CCE-87037-8 cce@sle12: CCE-92295-5 @@ -34,7 +33,6 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020700 - stigid@rhel7: RHEL-07-020700 ocil_clause: 'they are not' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 5bbf11aadc6..d2397811b94 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80523-4 cce@rhel8: CCE-84039-7 cce@rhel9: CCE-87451-1 cce@sle12: CCE-83099-2 @@ -32,7 +31,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020730 stigid@ol8: OL08-00-010660 - stigid@rhel7: RHEL-07-020730 stigid@rhel8: RHEL-08-010660 stigid@sle12: SLES-12-010780 stigid@sle15: SLES-15-040130 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml index 333f99c5e32..433420f9aa9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80527-5 cce@rhel8: CCE-86316-7 cce@rhel9: CCE-87038-6 cce@sle12: CCE-92296-3 @@ -33,7 +32,6 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020690 - stigid@rhel7: RHEL-07-020690 ocil_clause: 'they are not' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index 6afe058cf7e..25359fbb02b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80524-2 cce@rhel8: CCE-84040-5 cce@rhel9: CCE-87487-5 cce@sle12: CCE-83098-4 @@ -33,7 +32,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020720 stigid@ol8: OL08-00-010690 - stigid@rhel7: RHEL-07-020720 stigid@rhel8: RHEL-08-010690 stigid@sle12: SLES-12-010770 stigid@sle15: SLES-15-040120 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index a76ca547a3b..bf9fd270648 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80528-3 cce@rhel8: CCE-84036-3 cce@rhel9: CCE-88964-2 cce@sle12: CCE-83075-2 @@ -29,7 +28,6 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-010720 - stigid@rhel7: RHEL-07-020600 stigid@rhel8: RHEL-08-010720 stigid@sle12: SLES-12-010710 stigid@sle15: SLES-15-040070 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index 997f43257e1..18626e36f6a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80529-1 cce@rhel8: CCE-83424-2 cce@rhel9: CCE-83639-5 cce@sle12: CCE-83074-5 @@ -34,7 +33,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020620 stigid@ol8: OL08-00-010750 - stigid@rhel7: RHEL-07-020620 stigid@rhel8: RHEL-08-010750 stigid@sle12: SLES-12-010730 stigid@sle15: SLES-15-040080 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml index 1d25373f630..0a1b29c5b00 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80534-1 cce@rhel8: CCE-86534-5 cce@rhel9: CCE-87039-4 cce@sle12: CCE-92292-2 @@ -32,7 +31,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020670 stigid@ol8: OL08-00-010741 - stigid@rhel7: RHEL-07-020670 stigid@rhel8: RHEL-08-010741 ocil_clause: 'the group ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml index c8098ab074e..220b3dc619b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80533-3 cce@rhel8: CCE-87040-2 cce@rhel9: CCE-87041-0 cce@sle12: CCE-92293-0 @@ -33,7 +32,6 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020660 - stigid@rhel7: RHEL-07-020660 ocil_clause: 'the user ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml index 7558ca36541..9ccd2492405 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80535-8 cce@rhel8: CCE-85888-6 cce@rhel9: CCE-87042-8 cce@sle12: CCE-92290-6 @@ -29,7 +28,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020680 stigid@ol8: OL08-00-010731 - stigid@rhel7: RHEL-07-020680 stigid@rhel8: RHEL-08-010731 ocil_clause: 'home directory files or folders have incorrect permissions' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml index 937b0fe4571..98682fbe58c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-89524-3 cce@rhel8: CCE-87369-5 cce@sle12: CCE-92446-4 cce@sle15: CCE-92697-2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 1d0733c97fd..3307b1160cb 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80532-5 cce@rhel8: CCE-83434-1 cce@rhel9: CCE-83629-6 cce@sle12: CCE-83096-8 @@ -38,7 +37,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020650 stigid@ol8: OL08-00-010740 - stigid@rhel7: RHEL-07-020650 stigid@rhel8: RHEL-08-010740 stigid@sle12: SLES-12-010750 stigid@sle15: SLES-15-040100 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml index a48260c7acd..77b70872d26 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80531-7 cce@rhel8: CCE-86131-0 cce@sle12: CCE-92291-4 cce@sle15: CCE-91404-4 @@ -34,7 +33,6 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020640 - stigid@rhel7: RHEL-07-020640 ocil_clause: 'the user ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 74f5f022319..3bb0d54d5f5 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80525-9 cce@rhel8: CCE-84043-9 cce@rhel9: CCE-83637-9 cce@sle12: CCE-83097-6 @@ -27,7 +26,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020710 stigid@ol8: OL08-00-010770 - stigid@rhel7: RHEL-07-020710 stigid@rhel8: RHEL-08-010770 stigid@sle12: SLES-12-010760 stigid@sle15: SLES-15-040110 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml index c7bda5c9306..570cc8b8744 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86105-4 cce@rhel8: CCE-86106-2 cce@rhel9: CCE-87087-3 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 2719dae2979..0e9456e3d21 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80530-9 cce@rhel8: CCE-84038-9 cce@rhel9: CCE-83634-6 cce@sle12: CCE-83076-0 @@ -31,7 +30,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020630 stigid@ol8: OL08-00-010730 - stigid@rhel7: RHEL-07-020630 stigid@rhel8: RHEL-08-010730 stigid@sle12: SLES-12-010740 stigid@sle15: SLES-15-040090 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml index c7daf9f6e4e..3de5d0aa836 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80201-7 cce@rhel8: CCE-84274-0 cce@rhel9: CCE-83638-7 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml index c4e03819cea..38bf1079ef7 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80200-9 cce@rhel8: CCE-80672-9 cce@rhel9: CCE-83643-7 cce@sle12: CCE-92288-0 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml index c3f57eb2cf2..8e7f608aa86 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80199-3 cce@rhel8: CCE-85914-0 cce@rhel9: CCE-88059-1 cce@sle12: CCE-92287-2 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 37b322c3c89..021cc95fb0e 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-84260-9 - cce@rhel7: CCE-80202-5 cce@rhel8: CCE-81036-6 cce@rhel9: CCE-83644-5 cce@sle12: CCE-91530-6 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml index 23273c85550..bf2dbc750f7 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-84261-7 - cce@rhel7: CCE-80203-3 cce@rhel8: CCE-81037-4 cce@rhel9: CCE-87721-7 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index 09d630e535b..e6cb0603973 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80205-8 cce@rhel8: CCE-82888-9 cce@rhel9: CCE-83647-8 cce@sle12: CCE-83052-1 @@ -38,7 +37,6 @@ references: srg: SRG-OS-000480-GPOS-00228 stigid@ol7: OL07-00-020240 stigid@ol8: OL08-00-020351 - stigid@rhel7: RHEL-07-020240 stigid@rhel8: RHEL-08-020351 stigid@sle12: SLES-12-010620 stigid@sle15: SLES-15-040420 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml index ef85c30c923..88de78b99d1 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-84262-5 - cce@rhel7: CCE-80204-1 cce@rhel8: CCE-81035-8 cce@rhel9: CCE-90828-5 cce@sle12: CCE-91531-4 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index da7594ebcd7..3f7ca3912d6 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80536-6 cce@rhel8: CCE-84044-7 cce@rhel9: CCE-90365-8 @@ -27,7 +26,6 @@ references: srg: SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00228 stigid@ol7: OL07-00-021040 stigid@ol8: OL08-00-020352 - stigid@rhel7: RHEL-07-021040 stigid@rhel8: RHEL-08-020352 ocil_clause: 'any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"' diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/rule.yml b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/rule.yml index 39855426181..7efc8367d3b 100644 --- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/rule.yml +++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/rule.yml @@ -20,14 +20,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86062-7 - references: disa: CCI-000196 srg: SRG-OS-000073-GPOS-00041 stigid@ol7: OL07-00-010199 - stigid@rhel7: RHEL-07-010199 warnings: - general: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml index bc2cf24b412..d745deed77a 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-82351-8 cce@rhel8: CCE-83920-9 cce@rhel9: CCE-83844-1 cce@sle12: CCE-91532-2 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml index b9fe8d0f7c1..753997cd041 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml @@ -27,7 +27,6 @@ warnings: severity: high identifiers: - cce@rhel7: CCE-90775-8 cce@rhel8: CCE-88123-5 cce@rhel9: CCE-89123-4 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml index 61a5d9c99f6..94d4bb25687 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90774-1 cce@rhel8: CCE-87098-0 cce@rhel9: CCE-88098-9 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml index d624bf46c38..32e75459419 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90773-3 cce@rhel8: CCE-87345-5 cce@rhel9: CCE-88345-4 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml index 6f47d25b4a4..2e8100e6f89 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-90772-5 cce@rhel8: CCE-85989-2 cce@rhel9: CCE-86089-0 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml index 4d3db5bdeec..56c075d9900 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-90771-7 cce@rhel8: CCE-89567-2 cce@rhel9: CCE-90567-9 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml index 84a92e57630..1d1e29541a5 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml @@ -26,7 +26,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90770-9 cce@rhel8: CCE-86777-0 cce@rhel9: CCE-87770-4 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml index ac418c44ef3..1df1c6ce408 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml @@ -30,7 +30,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90769-1 cce@rhel8: CCE-89234-9 cce@rhel9: CCE-90234-6 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml index 116f1f3d75c..9418a4c4e2a 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-90763-4 cce@rhel8: CCE-89345-3 cce@rhel9: CCE-90345-0 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index 4efcbd136ff..c20403b04df 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82159-5 cce@rhel8: CCE-80946-7 cce@rhel9: CCE-83842-5 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml index 298ce4dc4e1..9ec567cc8c8 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82023-3 cce@rhel8: CCE-80800-6 cce@rhel9: CCE-83848-2 cce@sle12: CCE-91623-9 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml index 7bb957b1c07..c4ac8c57d69 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86008-0 cce@rhel8: CCE-86009-8 cce@rhel9: CCE-86010-6 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml index 7c23cb63185..98c3de6f31f 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml @@ -14,7 +14,6 @@ rationale: 'Only root should be able to modify important boot parameters.' severity: medium identifiers: - cce@rhel7: CCE-82026-6 cce@rhel8: CCE-80805-5 cce@rhel9: CCE-83845-8 cce@sle12: CCE-91624-7 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml index 0995f1872ee..3653a6ab687 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86014-8 cce@rhel8: CCE-86015-5 cce@rhel9: CCE-86016-3 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml index 5ca63cc2961..9709042f676 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82039-9 cce@rhel8: CCE-80814-7 cce@rhel9: CCE-83846-6 cce@sle12: CCE-92216-1 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml index 3b9734c3227..0d4d1d772fb 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86023-9 cce@rhel8: CCE-86024-7 cce@rhel9: CCE-86025-4 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index f88ad2fb7da..e49280f1f27 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -28,7 +28,6 @@ severity: high identifiers: cce@rhcos4: CCE-83582-7 - cce@rhel7: CCE-83562-9 cce@rhel8: CCE-83561-1 cce@rhel9: CCE-87370-3 @@ -47,7 +46,6 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010483 stigid@ol8: OL08-00-010149 - stigid@rhel7: RHEL-07-010483 stigid@rhel8: RHEL-08-010149 ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml index d218442a868..4462af3bcf3 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml @@ -16,14 +16,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80517-6 - references: disa: CCI-001813,CCI-001814 srg: SRG-OS-000364-GPOS-00151 stigid@ol7: OL07-00-021700 - stigid@rhel7: RHEL-07-021700 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index c3531c5ba6f..bdafd25b8d3 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -39,7 +39,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27309-4 cce@rhel8: CCE-80828-7 cce@rhel9: CCE-83849-0 cce@sle12: CCE-83044-8 @@ -64,7 +63,6 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010482 stigid@ol8: OL08-00-010150 - stigid@rhel7: RHEL-07-010482 stigid@rhel8: RHEL-08-010150 stigid@sle12: SLES-12-010430 stigid@sle15: SLES-15-010190 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml index 54fb60b5414..70e130eda2e 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83430-9 cce@rhel8: CCE-85915-7 cce@rhel9: CCE-86696-2 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml index f88aa99b562..c9e9abc8aa7 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86011-4 cce@rhel8: CCE-86012-2 cce@rhel9: CCE-86013-0 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml index 8636f6715a8..556a9856f01 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -14,7 +14,6 @@ rationale: 'Only root should be able to modify important boot parameters.' severity: medium identifiers: - cce@rhel7: CCE-83429-1 cce@rhel8: CCE-85913-2 cce@rhel9: CCE-86695-4 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml index 7f1bcb7454f..78fd6b5bf88 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86019-7 cce@rhel8: CCE-86021-3 cce@rhel9: CCE-86022-1 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index 271d91e2cbb..6b471c4ca75 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83431-7 cce@rhel8: CCE-85912-4 cce@rhel9: CCE-85925-6 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml index 70eae5a2daa..ebddd9ae20d 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86026-2 cce@rhel8: CCE-86028-8 cce@rhel9: CCE-86029-6 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 8acf56d3ce8..c4c22b8ad9a 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -23,19 +23,12 @@ description: |- rationale: |- Having a non-default grub superuser username makes password-guessing attacks less effective. - {{% if product == "rhel7" %}} - For more information on how to configure the grub2 superuser account and password, - please refer to -
    -
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-working_with_the_grub_2_boot_loader#sec-Protecting_GRUB_2_with_a_Password") }}}
  • . -
- {{% endif %}} + severity: medium identifiers: cce@rhcos4: CCE-83540-5 - cce@rhel7: CCE-83541-3 cce@rhel8: CCE-83542-1 cce@rhel9: CCE-89427-9 @@ -54,7 +47,6 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010492 stigid@ol8: OL08-00-010141 - stigid@rhel7: RHEL-07-010492 stigid@rhel8: RHEL-08-010141 ocil_clause: 'superuser account is not set or is set to an existing name or to a common name' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 743ed9cd697..f7f6c9c85a3 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -40,7 +40,6 @@ severity: high identifiers: cce@rhcos4: CCE-82552-1 - cce@rhel7: CCE-80354-4 cce@rhel8: CCE-80829-5 cce@rhel9: CCE-88654-9 cce@sle12: CCE-83045-5 @@ -65,7 +64,6 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010491 stigid@ol8: OL08-00-010140 - stigid@rhel7: RHEL-07-010491 stigid@rhel8: RHEL-08-010140 stigid@sle12: SLES-12-010440 stigid@sle15: SLES-15-010200 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml index 8a106a9e58c..da292a920f3 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml @@ -16,14 +16,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80518-4 - references: disa: CCI-001813,CCI-001814 srg: SRG-OS-000364-GPOS-00151 stigid@ol7: OL07-00-021700 - stigid@rhel7: RHEL-07-021700 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml index 936c4698243..1d8de840470 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml @@ -19,7 +19,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-86776-2 cce@rhel8: CCE-86778-8 cce@rhel9: CCE-86779-6 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml index 7e93c2f69ce..a112457f3d3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87765-4 cce@rhel8: CCE-87766-2 cce@rhel9: CCE-87767-0 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml index 6f9faf9f769..7f7cff8d5fb 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86093-2 cce@rhel8: CCE-86095-7 cce@rhel9: CCE-86096-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml index 14ab94aeea8..4eacfd337ac 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml @@ -20,7 +20,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88961-8 cce@rhel8: CCE-88962-6 cce@rhel9: CCE-88963-4 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml index 91130185611..b5e33195fd3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml @@ -19,7 +19,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87255-6 cce@rhel8: CCE-87256-4 cce@rhel9: CCE-87257-2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml index ddf3036972e..aa14b3e3da8 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml @@ -21,7 +21,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-86655-8 cce@rhel8: CCE-86656-6 cce@rhel9: CCE-86657-4 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml index 4410595c849..f59e62210eb 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml @@ -17,7 +17,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87033-7 cce@rhel8: CCE-88033-6 cce@rhel9: CCE-89033-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml index 62fb21d69a6..dfe5f08e632 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml @@ -18,7 +18,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-86985-9 cce@rhel8: CCE-86986-7 cce@rhel9: CCE-86987-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml index 84d20942c12..6f0ed9b37c6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml @@ -18,7 +18,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-86813-3 cce@rhel8: CCE-86814-1 cce@rhel9: CCE-86815-8 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml index eb55952390b..aa2014b2937 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml @@ -17,7 +17,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87147-5 cce@rhel8: CCE-87148-3 cce@rhel9: CCE-87149-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml index 67bcfd1df5d..6ae3a1a37fe 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml @@ -23,7 +23,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88159-9 cce@rhel8: CCE-88160-7 cce@rhel9: CCE-88161-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml index 5ae1272b686..c4bf760214e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml @@ -17,7 +17,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-86943-8 cce@rhel8: CCE-86947-9 cce@rhel9: CCE-86948-7 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml index 743a239a4bc..b49d2b3123e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml @@ -21,7 +21,6 @@ warnings: severity: high identifiers: - cce@rhel7: CCE-87299-4 cce@rhel8: CCE-88299-3 cce@rhel9: CCE-89299-2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml index f826e465fa1..189cc722b62 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87607-8 cce@rhel8: CCE-87608-6 cce@rhel9: CCE-87609-4 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml index 3713392a36a..7d16b48f9bf 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88745-5 cce@rhel8: CCE-88746-3 cce@rhel9: CCE-88747-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml index 23592a74fb1..4832241a8cf 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml @@ -17,7 +17,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87224-2 cce@rhel8: CCE-87225-9 cce@rhel9: CCE-87226-7 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml index f68e01719cf..0344e02168d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml @@ -18,7 +18,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87486-7 cce@rhel8: CCE-87488-3 cce@rhel9: CCE-87489-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml index ed220cc3a85..d13dfe796ef 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml @@ -17,7 +17,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87924-7 cce@rhel8: CCE-87925-4 cce@rhel9: CCE-87926-2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml index bd317bf1fd1..d61ad146c7d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-89377-6 cce@rhel8: CCE-89378-4 cce@rhel9: CCE-89379-2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml index ac3ae23b1c5..5b72f20140c 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml @@ -17,7 +17,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-89614-2 cce@rhel8: CCE-89615-9 cce@rhel9: CCE-89616-7 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml index 0ac2ae76a68..5c2da307d53 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-89458-4 cce@rhel8: CCE-89459-2 cce@rhel9: CCE-89460-0 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml index 50d13463a71..a5e2e5c293a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml @@ -17,7 +17,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-89842-9 cce@rhel8: CCE-89843-7 cce@rhel9: CCE-89844-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml index 2ebff1ed992..983be55248a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml @@ -23,7 +23,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90001-9 cce@rhel8: CCE-90000-1 cce@rhel9: CCE-89999-7 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml index 35c2110d775..09ffb43ec69 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-89693-6 cce@rhel8: CCE-89692-8 cce@rhel9: CCE-89691-0 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml index 17f3b09780b..2af4e95f684 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90768-3 cce@rhel8: CCE-88574-9 cce@rhel9: CCE-88575-6 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml index a6058f98ef1..e80d0a08ef3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88807-3 cce@rhel8: CCE-88808-1 cce@rhel9: CCE-88809-9 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml index c81853de68d..3860c761484 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml @@ -19,7 +19,6 @@ warnings: severity: high identifiers: - cce@rhel7: CCE-88590-5 cce@rhel8: CCE-88591-3 cce@rhel9: CCE-88592-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml index eb4659a00e0..1562c5dacdd 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86175-7 cce@rhel8: CCE-86176-5 cce@rhel9: CCE-86177-3 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml index 66c88c88c43..af530e4fea5 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86348-0 cce@rhel8: CCE-86349-8 cce@rhel9: CCE-86350-6 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml index bfa63a68d7d..a4ea7a4a58d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml @@ -17,7 +17,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87104-6 cce@rhel8: CCE-87105-3 cce@rhel9: CCE-87106-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml index 2a9ee75da39..edbfa08220a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88317-3 cce@rhel8: CCE-88318-1 cce@rhel9: CCE-88319-9 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml index 7fcbca6715a..3088ed9abc3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88439-5 cce@rhel8: CCE-88440-3 cce@rhel9: CCE-88441-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml index f07eabf0b91..467073d05d3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml @@ -22,7 +22,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86421-5 cce@rhel8: CCE-86422-3 cce@rhel9: CCE-86423-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml index 9e8fbfff823..4724507ae5b 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87493-3 cce@rhel8: CCE-87494-1 cce@rhel9: CCE-87495-8 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml index 8134bda3e7c..552c93f238e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml @@ -20,7 +20,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86449-6 cce@rhel8: CCE-86450-4 cce@rhel9: CCE-86451-2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml index 313185c18ad..dc499bc14a1 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86489-2 cce@rhel8: CCE-86490-0 cce@rhel9: CCE-86491-8 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml index 8176f31bf2e..74fe2a73cd9 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86571-7 cce@rhel8: CCE-86572-5 cce@rhel9: CCE-86573-3 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml index aeb5827fe17..7d4292511b5 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87337-2 cce@rhel8: CCE-87339-8 cce@rhel9: CCE-87340-6 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml index b1ec5ae21a3..e2286cb471d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml @@ -17,7 +17,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86883-6 cce@rhel8: CCE-86884-4 cce@rhel9: CCE-86885-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml index 9c410a2da1f..2348900cd62 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml @@ -19,7 +19,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-86715-0 cce@rhel8: CCE-86716-8 cce@rhel9: CCE-86717-6 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml index 729aaf27736..f5ab0ae12d5 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml @@ -18,7 +18,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-88274-6 cce@rhel8: CCE-88275-3 cce@rhel9: CCE-88276-1 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml index add20b3c51c..24e307dd22f 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml @@ -21,7 +21,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87329-9 cce@rhel8: CCE-87330-7 cce@rhel9: CCE-87331-5 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml index c9ea451f0b8..6b7865abbd0 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml @@ -22,7 +22,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90767-5 cce@rhel8: CCE-89179-6 cce@rhel9: CCE-89180-4 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml index 19ee28d1427..e7b2b25017c 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml @@ -19,7 +19,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-87882-7 cce@rhel8: CCE-87883-5 cce@rhel9: CCE-87884-3 diff --git a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/rule.yml b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/rule.yml index 8f71ae116ce..e3a4af2d194 100644 --- a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/rule.yml +++ b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/rule.yml @@ -14,5 +14,3 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80196-9 diff --git a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/rule.yml b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/rule.yml index 073ed2e36da..ca28e050d6c 100644 --- a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/rule.yml +++ b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/rule.yml @@ -14,5 +14,3 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80197-7 diff --git a/linux_os/guide/system/logging/disable_logwatch_for_logserver/rule.yml b/linux_os/guide/system/logging/disable_logwatch_for_logserver/rule.yml index a688d8c2928..9d50911f72d 100644 --- a/linux_os/guide/system/logging/disable_logwatch_for_logserver/rule.yml +++ b/linux_os/guide/system/logging/disable_logwatch_for_logserver/rule.yml @@ -16,5 +16,3 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80198-5 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml index 3dbf8e5b9d5..b940af9532a 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80380-9 cce@rhel8: CCE-80859-2 cce@rhel9: CCE-83994-4 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021100 stigid@ol8: OL08-00-030010 - stigid@rhel7: RHEL-07-021100 stigid@rhel8: RHEL-08-030010 ocil_clause: 'cron is not logging to rsyslog' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml index 147a9e532de..130ae92e70d 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml @@ -29,7 +29,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80190-2 cce@rhel8: CCE-80860-0 cce@rhel9: CCE-83834-2 cce@sle12: CCE-91508-2 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml index 80183e5f259..8bd2591361e 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml @@ -43,7 +43,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80189-4 cce@rhel8: CCE-80861-8 cce@rhel9: CCE-83946-4 cce@sle12: CCE-91509-0 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml index 2ca3df575fa..987282577e3 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80191-0 cce@rhel8: CCE-80862-6 cce@rhel9: CCE-83689-0 cce@sle12: CCE-91510-8 diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml index 3bc9b6a1b15..a1f4cbee2ba 100644 --- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml @@ -14,7 +14,6 @@ rationale: severity: medium identifiers: - cce@rhel7: CCE-85929-8 cce@rhel8: CCE-85930-6 cce@rhel9: CCE-85931-4 cce@sle12: CCE-92261-7 diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml index b0101d952a9..9f2d5611cc5 100644 --- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml @@ -15,7 +15,6 @@ rationale: severity: medium identifiers: - cce@rhel7: CCE-85994-2 cce@rhel8: CCE-85995-9 cce@rhel9: CCE-85996-7 cce@sle12: CCE-92260-9 diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml index bb838d9b779..aab562ba80d 100644 --- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml @@ -13,7 +13,6 @@ rationale: severity: medium identifiers: - cce@rhel7: CCE-86044-5 cce@rhel8: CCE-86045-2 cce@rhel9: CCE-86046-0 cce@sle12: CCE-92262-5 diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml index 8d2eea0384e..19022bd866f 100644 --- a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml +++ b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87415-6 cce@rhel8: CCE-86467-8 cce@rhel9: CCE-86760-6 diff --git a/linux_os/guide/system/logging/journald/service_systemd-journald_enabled/rule.yml b/linux_os/guide/system/logging/journald/service_systemd-journald_enabled/rule.yml index a5c8927b332..b945385de8b 100644 --- a/linux_os/guide/system/logging/journald/service_systemd-journald_enabled/rule.yml +++ b/linux_os/guide/system/logging/journald/service_systemd-journald_enabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87634-2 cce@rhel8: CCE-85921-5 cce@rhel9: CCE-85941-3 diff --git a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml index 9f909f1d1cc..9788c34f9ac 100644 --- a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml +++ b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87528-6 cce@rhel8: CCE-87605-2 cce@rhel9: CCE-87606-0 diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml index b265f06720a..a46bf9c3c45 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml @@ -21,7 +21,6 @@ platform: package[logrotate] identifiers: cce@rhcos4: CCE-82689-1 - cce@rhel7: CCE-80195-1 cce@rhel8: CCE-80794-1 cce@rhel9: CCE-83993-6 cce@sle12: CCE-91511-6 diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_configured.pass.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_configured.pass.sh index 03d1243a526..09409e4b325 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_configured.pass.sh +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_configured.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7,Oracle Linux 8 # fix logrotate config sed -i "s/\(weekly\|monthly\|yearly\)/daily/" /etc/logrotate.conf diff --git a/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml b/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml index 555492ed288..cd9ee5880d9 100644 --- a/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml @@ -10,7 +10,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86153-4 cce@rhel8: CCE-86154-2 cce@rhel9: CCE-86155-9 cce@sle12: CCE-92386-2 diff --git a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml index db7d8d12cc2..8cd0ca4510c 100644 --- a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml @@ -22,7 +22,6 @@ platform: package[logrotate] {{% endif %}} identifiers: - cce@rhel7: CCE-86156-7 cce@rhel8: CCE-86157-5 cce@rhel9: CCE-86158-3 cce@sle12: CCE-92401-9 @@ -51,7 +50,7 @@ template: timername: logrotate packagename: logrotate -{{% if product in ["rhel7", "rhel8"] %}} +{{% if product in ["rhel8"] %}} warnings: - general: The Systemd unit logrotate.timer does not exist in diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml index a4f49a04874..d162bc97efb 100644 --- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86724-2 cce@rhel8: CCE-82859-0 cce@rhel9: CCE-83987-8 cce@sle12: CCE-91512-4 diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml index 8f4b817e8aa..de6321863f6 100644 --- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80187-8 cce@rhel8: CCE-80847-7 cce@rhel9: CCE-84063-7 cce@sle12: CCE-91455-6 diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml index 4b109619537..bb7dbfbec39 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80193-6 - references: cis-csc: 1,14,15,16,3,5,6 cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml index bd097787e99..83b5add2ac7 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80194-4 - references: cis-csc: 1,14,15,16,3,5,6 cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml index a944ca50ec9..dd2aed998b9 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml @@ -31,7 +31,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80192-8 cce@rhel8: CCE-84275-7 cce@rhel9: CCE-83995-1 cce@sle12: CCE-92259-1 @@ -52,7 +51,6 @@ references: nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.IP-1,PR.PT-1,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-031010 - stigid@rhel7: RHEL-07-031010 ocil_clause: "rsyslog accepts remote messages and is not documented as a log aggregation system" diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml index 2b2c3fe9f30..35efb5d4593 100644 --- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88320-7 cce@rhel8: CCE-88321-5 cce@rhel9: CCE-88322-3 diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index 6a872bb2514..e27d2e5ed8a 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27343-3 cce@rhel8: CCE-80863-4 cce@rhel9: CCE-83990-2 cce@sle12: CCE-83180-0 @@ -62,7 +61,6 @@ references: srg: SRG-OS-000479-GPOS-00224,SRG-OS-000480-GPOS-00227,SRG-OS-000342-GPOS-00133 stigid@ol7: OL07-00-031000 stigid@ol8: OL08-00-030690 - stigid@rhel7: RHEL-07-031000 stigid@rhel8: RHEL-08-030690 stigid@sle12: SLES-12-030340 stigid@sle15: SLES-15-010580 diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml index 94317cba5a7..53c276baa50 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-89194-5 cce@rhel8: CCE-82457-3 cce@rhel9: CCE-83991-0 cce@sle12: CCE-91513-2 diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml index c48cfbd04ae..cebe4961b34 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-89253-9 cce@rhel8: CCE-82458-1 cce@rhel9: CCE-83992-8 cce@sle12: CCE-91514-0 diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml index 210ee27da52..47c0c89717e 100644 --- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80188-6 cce@rhel8: CCE-80886-5 cce@rhel9: CCE-83989-4 cce@sle12: CCE-91460-6 diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 36b27e13c72..01069587744 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82521-6 - cce@rhel7: CCE-82999-4 cce@rhel8: CCE-82998-6 cce@rhel9: CCE-84021-5 cce@sle12: CCE-91461-4 diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index f58c612c12b..0a31658140f 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -17,7 +17,6 @@ platform: package[firewalld] identifiers: cce@rhcos4: CCE-82554-7 - cce@rhel7: CCE-80998-8 cce@rhel8: CCE-80877-4 cce@rhel9: CCE-90833-5 cce@sle12: CCE-91466-3 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@ol8: OL08-00-040101 - stigid@rhel7: RHEL-07-040520 stigid@rhel8: RHEL-08-040101 stigid@sle15: SLES-15-010220 diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml index dd1d523c3d8..92b20382833 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml @@ -32,7 +32,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80447-6 cce@rhel8: CCE-84300-3 cce@rhel9: CCE-86041-1 @@ -49,7 +48,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115 stigid@ol7: OL07-00-040100 stigid@ol8: OL08-00-040030 - stigid@rhel7: RHEL-07-040100 stigid@rhel8: RHEL-08-040030 ocil_clause: 'there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/ansible/shared.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/ansible/shared.yml index 787eb6976f7..b136bce256d 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/ansible/shared.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml index c2da0f339b9..159e3dff07c 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml @@ -25,14 +25,10 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80542-4 - references: disa: CCI-002385 nist: SC-5,SC-5(1),SC-5(2),SC-5(3)(a),CM-6(a) srg: SRG-OS-000420-GPOS-00186 - stigid@rhel7: RHEL-07-040510 ocil_clause: 'firewalld is not rate limiting connections' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_two_wrong_rules.fail.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_two_wrong_rules.fail.sh index 2aaae2c9fae..138a79b4da3 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_two_wrong_rules.fail.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_two_wrong_rules.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = firewalld -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # ensure firewalld installed diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_wrong_rule.fail.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_wrong_rule.fail.sh index 9ead5e829fb..ab3a289f64c 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_wrong_rule.fail.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/chain_contains_wrong_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = firewalld -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # ensure firewalld installed diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/correct.pass.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/correct.pass.sh index 6da4bba8ee0..c5f258af828 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/correct.pass.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = firewalld -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # ensure firewalld installed diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/file_missing.fail.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/file_missing.fail.sh index 59e3c67ac20..1ed29053364 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/file_missing.fail.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/file_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = firewalld -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # ensure firewalld installed diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/rule_in_wrong_chain.fail.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/rule_in_wrong_chain.fail.sh index b69c0310f09..9477b0d79a1 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/rule_in_wrong_chain.fail.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/tests/rule_in_wrong_chain.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = firewalld -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # ensure firewalld installed # put rule into wrong chain diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml index 9df0c120881..ce5c83196dc 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml @@ -22,7 +22,6 @@ severity: medium platform: package[firewalld] identifiers: - cce@rhel7: CCE-27349-0 cce@rhel8: CCE-80890-7 cce@rhel9: CCE-84023-1 cce@sle15: CCE-91410-1 @@ -43,7 +42,6 @@ references: ospp: FMT_MOF_EXT.1 pcidss: Req-1.4 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: RHEL-07-040810 stigid@rhel8: RHEL-08-040090 ocil_clause: 'the default zone is not set to DROP' diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml index 48e91720014..3e509a0e441 100644 --- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml @@ -17,7 +17,6 @@ severity: medium platform: package[firewalld] identifiers: - cce@rhel7: CCE-86109-6 cce@rhel8: CCE-86111-2 cce@sle15: CCE-92556-0 diff --git a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml index e5503f5808f..c94018bc0ca 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86437-1 cce@rhel8: CCE-86438-9 cce@rhel9: CCE-86439-7 diff --git a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml index 07a239eebb4..87d5eb5df43 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86294-6 cce@rhel8: CCE-86302-7 cce@rhel9: CCE-86303-5 diff --git a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml index 3da4fcf88c4..46723ca7f4a 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86304-3 cce@rhel8: CCE-86305-0 cce@rhel9: CCE-86306-8 diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml index a62726eed74..04649f28728 100644 --- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86385-2 cce@rhel8: CCE-86386-0 cce@rhel9: CCE-86387-8 diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml index e5852b81e26..f23cc58dd8c 100644 --- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86396-9 cce@rhel8: CCE-86397-7 cce@rhel9: CCE-86398-5 diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml index fade59be6b3..f1d0e50d975 100644 --- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86388-6 cce@rhel8: CCE-86389-4 cce@rhel9: CCE-86391-0 diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml index 26a9805c0cb..d43a16d43f9 100644 --- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86399-3 cce@rhel8: CCE-86400-9 cce@rhel9: CCE-86401-7 diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml index ed643272edd..a4570bb763d 100644 --- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86392-8 cce@rhel8: CCE-86393-6 cce@rhel9: CCE-86395-1 diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml index 50a32697745..b0363816cc4 100644 --- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86403-3 cce@rhel8: CCE-86410-8 cce@rhel9: CCE-86411-6 diff --git a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml index 2cf33a51a8a..53492bd538d 100644 --- a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml @@ -16,7 +16,6 @@ rationale: 'IP tunneling mechanisms can be used to bypass network filtering.' severity: medium identifiers: - cce@rhel7: CCE-80171-2 cce@rhel8: CCE-80836-0 cce@rhel9: CCE-90319-5 cce@sle15: CCE-91153-7 @@ -33,7 +32,6 @@ references: nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040820 - stigid@rhel7: RHEL-07-040820 ocil_clause: 'the IPSec tunnels are not approved' diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml index 69011ceaa82..00b265a8201 100644 --- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82525-7 - cce@rhel7: CCE-80170-4 cce@rhel8: CCE-80845-1 cce@rhel9: CCE-84068-6 cce@sle12: CCE-91662-7 diff --git a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml index dca37f50d21..a3039cabd99 100644 --- a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86425-6 cce@rhel8: CCE-86426-4 cce@rhel9: CCE-86427-2 diff --git a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml index 955c5d52d42..f2c01d4dde2 100644 --- a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86428-0 cce@rhel8: CCE-86429-8 cce@rhel9: CCE-86430-6 diff --git a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml index 90aa8454dd3..77237979e15 100644 --- a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86434-8 cce@rhel8: CCE-86435-5 cce@rhel9: CCE-86436-3 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml index 68bff1bb0ba..6af68712817 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87026-1 cce@rhel8: CCE-85961-1 cce@rhel9: CCE-85962-9 cce@sle12: CCE-92317-7 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml index b331ec4376f..e56bdca2d61 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml @@ -23,7 +23,6 @@ severity: medium platform: not package[nftables] and not package[ufw] and package[iptables] identifiers: - cce@rhel7: CCE-86718-4 cce@rhel8: CCE-85965-2 cce@rhel9: CCE-85966-0 cce@sle12: CCE-91648-6 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml index 70138e6da14..dd6270d4634 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml @@ -20,7 +20,6 @@ severity: medium platform: not package[nftables] and not package[ufw] and package[iptables] identifiers: - cce@rhel7: CCE-86926-3 cce@sle12: CCE-92214-6 cce@sle15: CCE-91345-9 diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/rule.yml index 04476aee832..7e97fe69b6b 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/rule.yml @@ -16,7 +16,6 @@ severity: medium platform: not package[nftables] and not package[ufw] identifiers: - cce@rhel7: CCE-86800-0 cce@rhel8: CCE-86801-8 references: diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/rule.yml index c52c738cff6..6237e8001aa 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/rule.yml @@ -16,7 +16,6 @@ severity: medium platform: not package[nftables] and not package[ufw] identifiers: - cce@rhel7: CCE-86770-5 cce@rhel8: CCE-86771-3 references: diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml index 83c68f3016b..6849136bbd7 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml @@ -21,7 +21,6 @@ severity: medium platform: not package[nftables] and not package[ufw] identifiers: - cce@rhel7: CCE-86719-2 cce@rhel8: CCE-85968-6 cce@rhel9: CCE-85969-4 cce@sle12: CCE-92333-4 diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml index 3575c9f453c..d7defdc05f7 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml +++ b/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml @@ -18,7 +18,6 @@ severity: medium platform: package[iptables] identifiers: - cce@rhel7: CCE-86678-0 cce@rhel8: CCE-86679-8 diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml index 2dee826b9ce..013b4dff8b1 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml +++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82522-4 - cce@rhel7: CCE-82983-8 cce@rhel8: CCE-82982-0 cce@sle12: CCE-91549-6 cce@sle15: CCE-91244-4 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/rule.yml index 4f1d02821af..c05ed70d97f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/rule.yml @@ -15,8 +15,5 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80186-0 - references: disa: CCI-000366 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/rule.yml index 6e6485fdc4d..325abf8edc3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/rule.yml @@ -18,9 +18,6 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80185-2 - references: cui: 3.1.20 disa: CCI-000366 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/rule.yml index 653e8982bd5..46eb2a56ed2 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/rule.yml @@ -17,7 +17,6 @@ rationale: "" severity: unknown identifiers: - cce@rhel7: CCE-80184-5 cce@rhel8: CCE-84298-9 references: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 91c89e48440..9dd57911340 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -11,7 +11,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82467-2 - cce@rhel7: CCE-80180-3 cce@rhel8: CCE-81006-9 cce@rhel9: CCE-84120-5 cce@sle12: CCE-92315-1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml index 3c7be9426b2..31406f788ac 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84271-6 cce@rhel8: CCE-84272-4 cce@rhel9: CCE-84115-5 cce@sle12: CCE-91517-3 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml index 90a17a61fe8..8ade91f0a51 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84279-9 cce@rhel8: CCE-84280-7 cce@rhel9: CCE-84122-1 cce@sle12: CCE-91518-1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml index b75659ca97c..c8483f85a77 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84287-2 cce@rhel8: CCE-84288-0 cce@rhel9: CCE-84111-4 cce@sle12: CCE-91519-9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index ab1b748a328..c8c5e48bab1 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -11,7 +11,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82471-4 - cce@rhel7: CCE-80182-9 cce@rhel8: CCE-81009-3 cce@rhel9: CCE-84125-4 cce@sle12: CCE-83246-9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index e72a5746c2e..6f8ec9e9ff3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82480-5 - cce@rhel7: CCE-80179-5 cce@rhel8: CCE-81013-5 cce@rhel9: CCE-84131-2 cce@sle12: CCE-83078-6 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040830 stigid@ol8: OL08-00-040240 - stigid@rhel7: RHEL-07-040830 stigid@rhel8: RHEL-08-040240 stigid@sle12: SLES-12-030361 stigid@sle15: SLES-15-040310 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml index f25254c0c67..12439c09918 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84265-8 cce@rhel8: CCE-84266-6 cce@rhel9: CCE-84126-2 cce@sle12: CCE-91520-7 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 4e4740d6e45..287b6d93b30 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80356-9 cce@rhel8: CCE-82863-2 cce@rhel9: CCE-84114-8 cce@sle12: CCE-83247-7 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml index b7b00c0d0c9..c6ec9945a6e 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml @@ -12,7 +12,6 @@ rationale: >- severity: unknown identifiers: - cce@rhel7: CCE-84258-3 cce@rhel8: CCE-84259-1 cce@rhel9: CCE-84112-2 cce@sle12: CCE-91521-5 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml index 7c18d52d654..8416b0acc59 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml @@ -10,7 +10,6 @@ rationale: To prevent discovery of the system by other systems, router solicitat severity: unknown identifiers: - cce@rhel7: CCE-84281-5 cce@rhel8: CCE-84109-8 cce@rhel9: CCE-84128-8 cce@sle12: CCE-91522-3 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml index 10322ea8a5d..9742aa264fb 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -11,7 +11,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82468-0 - cce@rhel7: CCE-80181-1 cce@rhel8: CCE-81007-7 cce@rhel9: CCE-84124-7 cce@sle12: CCE-92316-9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml index a9a53f570a7..1cdd795fef2 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84267-4 cce@rhel8: CCE-84268-2 cce@rhel9: CCE-84116-3 cce@sle12: CCE-91523-1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml index e8c328b1353..5675ccccfb3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84273-2 cce@rhel8: CCE-84051-2 cce@rhel9: CCE-84118-9 cce@sle12: CCE-91524-9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml index a94b13c8672..02844aa9941 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84289-8 cce@rhel8: CCE-84291-4 cce@rhel9: CCE-84121-3 cce@sle12: CCE-91525-6 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index ba7b1168a7c..abb4664f633 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -11,7 +11,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82477-1 - cce@rhel7: CCE-80183-7 cce@rhel8: CCE-81010-1 cce@rhel9: CCE-84113-0 cce@sle12: CCE-83223-8 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index 5ead947297d..3ad03b329d4 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82481-3 - cce@rhel7: CCE-80355-1 cce@rhel8: CCE-81015-0 cce@rhel9: CCE-84130-4 cce@sle12: CCE-83227-9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml index 8d0a13739c4..617c3ddfe22 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml @@ -10,7 +10,6 @@ rationale: An illicit router advertisement message could result in a man-in-the- severity: unknown identifiers: - cce@rhel7: CCE-84263-3 cce@rhel8: CCE-84264-1 cce@rhel9: CCE-84133-8 cce@sle12: CCE-91526-4 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml index bfb843bea08..3511526d54f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml @@ -12,7 +12,6 @@ rationale: >- severity: unknown identifiers: - cce@rhel7: CCE-84256-7 cce@rhel8: CCE-84257-5 cce@rhel9: CCE-84117-1 cce@sle12: CCE-91527-2 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml index b4125f3d336..a3b12ed2cf3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml @@ -10,7 +10,6 @@ rationale: To prevent discovery of the system by other systems, router solicitat severity: unknown identifiers: - cce@rhel7: CCE-84283-1 cce@rhel8: CCE-83477-0 cce@rhel9: CCE-84026-4 cce@sle12: CCE-91528-0 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml index 76347bdcf70..1316099ce37 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82886-3 cce@rhel8: CCE-82887-1 cce@sle12: CCE-91548-8 cce@sle15: CCE-91240-2 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh deleted file mode 100644 index 33f6be147e2..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bas -# platform = Red Hat Enterprise Linux 7 - -# Removes ipv6.disable argument from kernel command line in /etc/default/grub -if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -fi diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh deleted file mode 100644 index 6163f9fbaaf..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 -# Removes ipv6.disable argument from kernel command line in /etc/default/grub -if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -fi - -# removing the parameter from the no recovery kernel parameters as well -sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' - -# disabling recovery -sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' - -#if the line is not present at all, add it -if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then - echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub -fi diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh deleted file mode 100644 index 5becb561a68..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Removes ipv6.disable argument from kernel command line in /boot/grub2/grub.cfg -file="/boot/grub2/grub.cfg" -if grep -q '^.*ipv6\.disable=.*' "$file" ; then - sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file" -fi diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_commented_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_commented_etcdefaultgrub.fail.sh index 43459097013..37f69f5705a 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_commented_etcdefaultgrub.fail.sh +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_commented_etcdefaultgrub.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,multi_platform_sle +# platform = multi_platform_sle # Comments kernel command line in /etc/default/grub sed -i '/^\s*GRUB_CMDLINE_LINUX=/s//#&/' '/etc/default/grub' diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_not_there_etcdefaultgrub.fail.sh index 660643ac192..01cb7441cc7 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_not_there_etcdefaultgrub.fail.sh +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/cmd_line_not_there_etcdefaultgrub.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,multi_platform_sle +# platform = multi_platform_sle # Removes kernel command line in /etc/default/grub sed -i '/^\s*GRUB_CMDLINE_LINUX=/d' '/etc/default/grub' diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh deleted file mode 100644 index 59b18bd049b..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby -if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - # modify the GRUB command-line if an ipv6.disable= arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' -else - # no ipv6.disable=arg is present, append it - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' -fi - -grubby --update-kernel=ALL --args="ipv6.disable=1" diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh deleted file mode 100644 index e36f81903df..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby -if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - # modify the GRUB command-line if an ipv6.disable= arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' -else - # no ipv6.disable=arg is present, append it - sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' -fi - -# removing the parameter from the no recovery kernel parameters as well -sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' - -# disabling recovery -sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' - -#if the line is not present at all, add it -if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then - echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"' >> /etc/default/grub -fi - -grubby --update-kernel=ALL --args="ipv6.disable=1" diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh deleted file mode 100644 index 4e7492b5884..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Break the ipv6.disable argument in kernel command line in /etc/default/grub -if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - # modify the GRUB command-line if an ipv6.disable= arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' -else - # no ipv6.disable=arg is present, append it - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' -fi diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh deleted file mode 100644 index 85cc596ca87..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Break the ipv6.disable argument in kernel command line in /etc/default/grub -if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then - # modify the GRUB command-line if an ipv6.disable= arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' -else - # no ipv6\.disable=arg is present, append it - sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' -fi - -# removing the parameter from the no recovery kernel parameters as well -sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' - -# disabling recovery -sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' - -#if the line is not present at all, add it -if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then - echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0"' >> /etc/default/grub -fi diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh deleted file mode 100644 index a37b45c4ad6..00000000000 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# platform = Red Hat Enterprise Linux 7 - -# Break the ipv6.disable argument in kernel command line in /boot/grub2/grub.cfg -file="/boot/grub2/grub.cfg" -if grep -q '^.*ipv6\.disable=.*' "$file" ; then - # modify the GRUB command-line if an ipv6.disable= arg already exists - sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file" -else - # no ipv6.disable=arg is present, append it - sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file" -fi - diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml index 59e8ac2a958..5649b294bfe 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82871-5 cce@rhel8: CCE-82872-3 cce@rhel9: CCE-84024-9 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_interfaces/rule.yml index 58ea69474ad..6bf86590d8f 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_interfaces/rule.yml @@ -12,5 +12,3 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80176-1 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/rule.yml index fc9912857bb..62703afb1d9 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/rule.yml @@ -16,9 +16,6 @@ rationale: "" severity: unknown -identifiers: - cce@rhel7: CCE-80177-9 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml index 78ff2516e76..cbb597ef48f 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80175-3 cce@rhel8: CCE-85904-1 cce@rhel9: CCE-86215-1 cce@sle12: CCE-92359-9 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml index bb16e5d7f4d..95d6d6e86da 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85975-1 cce@rhel8: CCE-86004-9 cce@rhel9: CCE-90764-2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml index 87a4eec87af..bd935880727 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87789-4 cce@rhel8: CCE-88789-3 cce@rhel9: CCE-89789-2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 9791720a502..1af0746c1de 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82469-8 - cce@rhel7: CCE-80158-9 cce@rhel8: CCE-80917-8 cce@rhel9: CCE-84011-6 cce@sle12: CCE-83090-1 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040641 stigid@ol8: OL08-00-040279 - stigid@rhel7: RHEL-07-040641 stigid@rhel8: RHEL-08-040279 stigid@sle12: SLES-12-030390 stigid@sle15: SLES-15-040330 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 65aa94003f0..7b14b71ebac 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82478-9 - cce@rhel7: CCE-27434-0 cce@rhel8: CCE-81011-9 cce@rhel9: CCE-84001-7 cce@sle12: CCE-83064-6 @@ -43,7 +42,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040610 stigid@ol8: OL08-00-040239 - stigid@rhel7: RHEL-07-040610 stigid@rhel8: RHEL-08-040239 stigid@sle12: SLES-12-030360 stigid@sle15: SLES-15-040300 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml index abc43065c86..053fac70e7a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87555-9 cce@rhel8: CCE-88555-8 cce@rhel9: CCE-89555-7 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml index 7fda022741c..572cb784c12 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml @@ -14,7 +14,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87889-2 cce@rhel8: CCE-88889-1 cce@rhel9: CCE-89889-0 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml index 6f371dec9cd..86aff4bf3fe 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml @@ -15,7 +15,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-87001-4 cce@rhel8: CCE-88001-3 cce@rhel9: CCE-89001-2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml index 6f852e5e80e..637f5dbf83e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87180-6 cce@rhel8: CCE-86220-1 cce@rhel9: CCE-87181-4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml index 7ccfaf9eb6c..b95ee93521e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -15,7 +15,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82486-2 - cce@rhel7: CCE-80160-5 cce@rhel8: CCE-81018-4 cce@rhel9: CCE-84000-9 cce@sle12: CCE-91537-1 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml index 942f7d31285..031a3234897 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87023-8 cce@rhel8: CCE-88023-7 cce@rhel9: CCE-89023-6 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index ba98de5617a..d1d17c660c4 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82488-8 - cce@rhel7: CCE-80167-0 cce@rhel8: CCE-81021-8 cce@rhel9: CCE-84008-2 cce@sle12: CCE-91533-0 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040611 stigid@ol8: OL08-00-040285 - stigid@rhel7: RHEL-07-040611 stigid@rhel8: RHEL-08-040285 ocil: |- diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml index c6b7678fac6..8cd92a8409c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml @@ -14,7 +14,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82482-1 - cce@rhel7: CCE-80159-7 cce@rhel8: CCE-81016-8 cce@rhel9: CCE-84016-5 cce@sle12: CCE-91535-5 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml index b57ef1bc9d3..22b065b98f3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87333-1 cce@rhel8: CCE-88333-0 cce@rhel9: CCE-89333-9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index 682de458fb6..f4216ddf46f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82470-6 - cce@rhel7: CCE-80163-9 cce@rhel8: CCE-80919-4 cce@rhel9: CCE-84003-3 cce@sle12: CCE-83081-0 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040640 stigid@ol8: OL08-00-040209 - stigid@rhel7: RHEL-07-040640 stigid@rhel8: RHEL-08-040209 stigid@sle12: SLES-12-030400 stigid@sle15: SLES-15-040340 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 798295502a1..002a20bd932 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82479-7 - cce@rhel7: CCE-80162-1 cce@rhel8: CCE-80920-2 cce@rhel9: CCE-84007-4 cce@sle12: CCE-83079-4 @@ -44,7 +43,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040620 stigid@ol8: OL08-00-040249 - stigid@rhel7: RHEL-07-040620 stigid@rhel8: RHEL-08-040249 stigid@sle12: SLES-12-030370 stigid@sle15: SLES-15-040320 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml index 1e1a4fc2c06..c05984452a1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml @@ -15,7 +15,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82487-0 - cce@rhel7: CCE-80161-3 cce@rhel8: CCE-81020-0 cce@rhel9: CCE-84014-0 cce@sle12: CCE-92323-5 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml index 52dea2c2977..4b47a1ce294 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82489-6 - cce@rhel7: CCE-80168-8 cce@rhel8: CCE-81022-6 cce@rhel9: CCE-84009-0 cce@sle12: CCE-91534-8 @@ -38,7 +37,6 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040612 - stigid@rhel7: RHEL-07-040612 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.rp_filter", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml index 5efdf8fb136..c8c77f9246a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -14,7 +14,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82483-9 - cce@rhel7: CCE-80164-7 cce@rhel8: CCE-81017-6 cce@rhel9: CCE-84019-9 cce@sle12: CCE-91536-3 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml index 5fa568baa12..9147d2e6eb6 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87444-6 cce@rhel8: CCE-88444-5 cce@rhel9: CCE-89444-4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index cff52565387..cf62b1e9f19 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82491-2 - cce@rhel7: CCE-80165-4 cce@rhel8: CCE-80922-8 cce@rhel9: CCE-84004-1 cce@sle12: CCE-83080-2 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040630 stigid@ol8: OL08-00-040230 - stigid@rhel7: RHEL-07-040630 stigid@rhel8: RHEL-08-040230 stigid@sle12: SLES-12-030380 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml index 0974540f72d..f571c1c88e0 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml @@ -13,7 +13,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82490-4 - cce@rhel7: CCE-80166-2 cce@rhel8: CCE-81023-4 cce@rhel9: CCE-84015-7 cce@sle12: CCE-91539-7 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml index 13725904b42..123656d15bc 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-84276-5 cce@rhel8: CCE-84277-3 cce@rhel9: CCE-90834-3 cce@sle12: CCE-91540-5 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml index 143584d733e..d0ec0b0f4c1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml @@ -32,7 +32,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82893-9 cce@rhel9: CCE-86394-4 references: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml index 012b2cfe7d4..409fcbdb237 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-84269-0 cce@rhel8: CCE-84270-8 cce@rhel9: CCE-84012-4 cce@sle12: CCE-91538-9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 332f9becc45..53a852a55fd 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82492-0 - cce@rhel7: CCE-27495-1 cce@rhel8: CCE-80923-6 cce@rhel9: CCE-84006-6 cce@sle12: CCE-83179-2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index a8b11cd1a68..ca83391d573 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82484-7 - cce@rhel7: CCE-80156-3 cce@rhel8: CCE-80918-6 cce@rhel9: CCE-83997-7 cce@sle12: CCE-83089-3 @@ -41,7 +40,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040660 stigid@ol8: OL08-00-040220 - stigid@rhel7: RHEL-07-040660 stigid@rhel8: RHEL-08-040220 stigid@sle12: SLES-12-030420 stigid@sle15: SLES-15-040370 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 4eb52cc769b..27dc6465311 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82485-4 - cce@rhel7: CCE-80999-6 cce@rhel8: CCE-80921-0 cce@rhel9: CCE-83999-3 cce@sle12: CCE-83086-9 @@ -41,7 +40,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040650 stigid@ol8: OL08-00-040270 - stigid@rhel7: RHEL-07-040650 stigid@rhel8: RHEL-08-040270 stigid@sle12: SLES-12-030410 stigid@sle15: SLES-15-040360 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index ab8da70351d..71d529591b3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80157-1 cce@rhel8: CCE-81024-2 cce@rhel9: CCE-83998-5 cce@sle12: CCE-83088-5 @@ -39,7 +38,6 @@ references: pcidss: Req-1.3.1,Req-1.3.2 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040740 - stigid@rhel7: RHEL-07-040740 stigid@sle12: SLES-12-030430 stigid@sle15: SLES-15-040380 diff --git a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml index db2815f7f2b..3a2a3b278bd 100644 --- a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86307-6 cce@rhel8: CCE-86308-4 cce@rhel9: CCE-86309-2 diff --git a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml index fd6f6ed15cc..288b188dcb9 100644 --- a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86310-0 cce@rhel8: CCE-86311-8 cce@rhel9: CCE-86313-4 diff --git a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml index bc8b628c162..e0e581b9d63 100644 --- a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86317-5 cce@rhel8: CCE-86318-3 cce@rhel9: CCE-86320-9 diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml index 0dd58d347f0..a08f633d25a 100644 --- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml +++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml @@ -17,7 +17,6 @@ severity: medium platform: package[nftables] and service_disabled[firewalld] identifiers: - cce@rhel7: CCE-86462-9 cce@sle15: CCE-92507-3 references: diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml index 03c22f6e84f..c0d61ce7d35 100644 --- a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml +++ b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml @@ -19,7 +19,6 @@ severity: medium platform: package[nftables] and service_disabled[firewalld] identifiers: - cce@rhel7: CCE-86625-1 cce@sle15: CCE-92485-2 references: diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml index 13f1d60c722..cc87d6ab058 100644 --- a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml +++ b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86682-2 cce@rhel8: CCE-86376-1 cce@rhel9: CCE-86378-7 cce@sle15: CCE-92469-6 diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml index 1517fb5eaf2..d96fb48a328 100644 --- a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml +++ b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86680-6 cce@sle15: CCE-92518-0 references: diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml index 34a1e50700b..5dc3e4ba64e 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86683-0 cce@rhel8: CCE-88428-8 cce@rhel9: CCE-88429-6 cce@sle15: CCE-92529-7 diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml index ae240d4f016..38b2b27e0e6 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86723-4 cce@rhel8: CCE-86725-9 cce@sle15: CCE-92560-2 diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml index 355342d3fa3..ea37d1611b2 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml @@ -19,7 +19,6 @@ severity: medium platform: package[nftables] identifiers: - cce@rhel7: CCE-86333-2 cce@sle15: CCE-92578-4 references: diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml index 43e4bbd4a0b..c47a7cf2307 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml @@ -20,7 +20,6 @@ severity: medium platform: package[nftables] and service_disabled[firewalld] identifiers: - cce@rhel7: CCE-86382-9 cce@sle15: CCE-92481-1 references: diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml index 30bccc9b4e8..50e0f61d9cf 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml @@ -27,7 +27,6 @@ severity: medium platform: package[nftables] identifiers: - cce@rhel7: CCE-86161-7 cce@rhel8: CCE-86162-5 cce@rhel9: CCE-86163-3 cce@sle15: CCE-92569-3 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml index 9e964b77084..07f7dfefa5d 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82518-2 - cce@rhel7: CCE-82162-9 cce@rhel8: CCE-82028-2 cce@rhel9: CCE-84137-9 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml index 9e67a0f529c..194fe6d1e13 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82519-0 - cce@rhel7: CCE-82164-5 cce@rhel8: CCE-82059-7 cce@rhel9: CCE-84134-6 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml index 34fe0539f7c..59126971efd 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82024-1 cce@rhel8: CCE-80833-7 cce@rhel9: CCE-84136-1 cce@sle12: CCE-91599-1 @@ -40,7 +39,6 @@ references: pcidss: Req-1.4.2 srg: SRG-OS-000096-GPOS-00050,SRG-OS-000378-GPOS-00163 stigid@ol7: OL07-00-020101 - stigid@rhel7: RHEL-07-020101 {{{ complete_ocil_entry_module_disable(module="dccp") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml index 2d88048319d..de56635163a 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml @@ -16,7 +16,6 @@ severity: low identifiers: cce@rhcos4: CCE-82517-4 - cce@rhel7: CCE-82160-3 cce@rhel8: CCE-82005-0 cce@rhel9: CCE-84060-3 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml index 1b4c9f9dcd3..9f53b2256c9 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82869-9 cce@rhel8: CCE-82870-7 cce@rhel9: CCE-84064-5 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 4a07631b4c9..5439fd348b5 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82516-6 - cce@rhel7: CCE-82044-9 cce@rhel8: CCE-80834-5 cce@rhel9: CCE-84139-5 cce@sle12: CCE-91600-7 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml index 8dc3c982ff7..3747c4b835f 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml @@ -23,7 +23,6 @@ severity: low identifiers: cce@rhcos4: CCE-82520-8 - cce@rhel7: CCE-83395-4 cce@rhel8: CCE-82297-3 cce@rhel9: CCE-84065-2 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml index 18eb627e6c4..ea61f247881 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82515-8 - cce@rhel7: CCE-27327-6 cce@rhel8: CCE-80832-9 cce@rhel9: CCE-84067-8 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml index b3766b3e23a..0a925c4a657 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27328-4 cce@rhel8: CCE-87231-7 cce@rhel9: CCE-86761-4 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml index 40321b2e779..2f6fa6f036a 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml @@ -18,7 +18,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82659-4 - cce@rhel7: CCE-27397-9 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index bc2af847731..5238c00e89f 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -36,7 +36,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82660-2 - cce@rhel7: CCE-27358-1 cce@rhel8: CCE-83501-7 cce@rhel9: CCE-84066-0 cce@sle12: CCE-83148-7 @@ -62,7 +61,6 @@ references: srg: SRG-OS-000299-GPOS-00117,SRG-OS-000300-GPOS-00118,SRG-OS-000424-GPOS-00188,SRG-OS-000481-GPOS-000481 stigid@ol7: OL07-00-041010 stigid@ol8: OL08-00-040110 - stigid@rhel7: RHEL-07-041010 stigid@rhel8: RHEL-08-040110 stigid@sle12: SLES-12-030450 stigid@sle15: SLES-15-010380 diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml index 93db24be0c3..6f6dcae5a69 100644 --- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml @@ -37,7 +37,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80438-5 cce@rhel8: CCE-84049-6 cce@rhel9: CCE-86858-8 @@ -52,7 +51,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040600 stigid@ol8: OL08-00-010680 - stigid@rhel7: RHEL-07-040600 stigid@rhel8: RHEL-08-010680 ocil_clause: 'less than two lines are returned that are not commented out' diff --git a/linux_os/guide/system/network/network_disable_ddns_interfaces/rule.yml b/linux_os/guide/system/network/network_disable_ddns_interfaces/rule.yml index eb61e926616..05145735e32 100644 --- a/linux_os/guide/system/network/network_disable_ddns_interfaces/rule.yml +++ b/linux_os/guide/system/network/network_disable_ddns_interfaces/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80357-7 - references: cis-csc: 11,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 diff --git a/linux_os/guide/system/network/network_disable_zeroconf/bash/shared.sh b/linux_os/guide/system/network/network_disable_zeroconf/bash/shared.sh index 6f2e6fa202c..7e8b5abc000 100644 --- a/linux_os/guide/system/network/network_disable_zeroconf/bash/shared.sh +++ b/linux_os/guide/system/network/network_disable_zeroconf/bash/shared.sh @@ -1,2 +1,2 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Red Hat Enterprise Linux 8 echo "NOZEROCONF=yes" >> /etc/sysconfig/network diff --git a/linux_os/guide/system/network/network_disable_zeroconf/rule.yml b/linux_os/guide/system/network/network_disable_zeroconf/rule.yml index c8a8f104e49..8b257e063d3 100644 --- a/linux_os/guide/system/network/network_disable_zeroconf/rule.yml +++ b/linux_os/guide/system/network/network_disable_zeroconf/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80173-8 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml b/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml index 8f4b370ac01..c2816c906b4 100644 --- a/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml +++ b/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/network/network_nmcli_permissions/rule.yml b/linux_os/guide/system/network/network_nmcli_permissions/rule.yml index 885f14bbec7..175db2c12ac 100644 --- a/linux_os/guide/system/network/network_nmcli_permissions/rule.yml +++ b/linux_os/guide/system/network/network_nmcli_permissions/rule.yml @@ -31,7 +31,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82696-6 - cce@rhel7: CCE-82178-5 cce@rhel8: CCE-82179-3 cce@rhel9: CCE-90061-3 diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml index ff68190cb6c..14c9015b007 100644 --- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml @@ -26,7 +26,6 @@ severity: medium platform: machine # The oscap interface probe doesn't support offline mode identifiers: - cce@rhel7: CCE-80174-6 cce@rhel8: CCE-82283-3 cce@rhel9: CCE-83996-9 cce@sle12: CCE-83147-9 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040670 stigid@ol8: OL08-00-040330 - stigid@rhel7: RHEL-07-040670 stigid@rhel8: RHEL-08-040330 stigid@sle12: SLES-12-030440 stigid@sle15: SLES-15-040390 diff --git a/linux_os/guide/system/network/network_ssl/group.yml b/linux_os/guide/system/network/network_ssl/group.yml index b641ec610b5..bcd4f7c4bf9 100644 --- a/linux_os/guide/system/network/network_ssl/group.yml +++ b/linux_os/guide/system/network/network_ssl/group.yml @@ -13,7 +13,3 @@ description: |- {{{ weblink(link="http://www.openssl.org/docs/") }}}. Information on FIPS validation of OpenSSL is available at {{{ weblink(link="http://www.openssl.org/docs/fips.html") }}} and {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm") }}}. - {{% if product == "rhel7" %}} - For information on how to use and implement OpenSSL on Red Hat Enterprise Linux, see - {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_OpenSSL.html") }}} - {{% endif %}} diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml index db3b86f2f21..52dbf4624d7 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83374-9 cce@rhel8: CCE-83375-6 cce@rhel9: CCE-83903-5 cce@sle12: CCE-91597-5 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 2de82bc0d74..175dde26edd 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -27,7 +27,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82753-5 - cce@rhel7: CCE-80130-8 cce@rhel8: CCE-80783-4 cce@rhel9: CCE-83895-3 cce@sle12: CCE-83047-1 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml index 33506cb0b81..cc3eebbb395 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80136-5 - references: cis-csc: 12,13,14,15,16,18,3,5 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 @@ -31,7 +28,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021031 stigid@ol8: OL08-00-010700 - stigid@rhel7: RHEL-07-021031 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml index fb414f5d73a..f40488fb9f0 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83923-3 cce@rhel8: CCE-85886-0 cce@sle12: CCE-83104-0 cce@sle15: CCE-85637-7 @@ -38,7 +37,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021030 stigid@ol8: OL08-00-010710 - stigid@rhel7: RHEL-07-021030 stigid@rhel8: RHEL-08-010710 stigid@sle12: SLES-12-010830 stigid@sle15: SLES-15-040180 diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index ba0f2ee061f..a1fbd1673b4 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87021-2 cce@rhel8: CCE-87022-0 cce@rhel9: CCE-87025-3 cce@sle12: CCE-83244-4 diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml index 81f900df7fb..bc9bad75929 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml @@ -33,7 +33,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87027-9 cce@rhel8: CCE-87028-7 cce@rhel9: CCE-87029-5 cce@sle12: CCE-83242-8 diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml index 381ff93e48a..2ce6b9535ca 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86361-3 cce@rhel8: CCE-86362-1 cce@rhel9: CCE-86363-9 diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml index 81fe104ffe0..8a4604339c1 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-86582-4 cce@rhel8: CCE-86583-2 cce@rhel9: CCE-86584-0 diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml index 2538b2dce36..ea8606c07e8 100644 --- a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86364-7 cce@rhel8: CCE-86365-4 cce@rhel9: CCE-86366-2 diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml index 8463baee299..f4e12e3d26e 100644 --- a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-86585-7 cce@rhel8: CCE-86586-5 cce@rhel9: CCE-86587-3 diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml index 37ac4f73cf7..c9a27af4dc8 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86367-0 cce@rhel8: CCE-86369-6 cce@rhel9: CCE-86370-4 diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml index 2c6b0ab7525..9a6f4f0cf98 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82350-0 cce@rhel8: CCE-82892-1 cce@rhel9: CCE-86581-6 diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index 408173cc2e5..5874b439721 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80132-4 cce@rhel8: CCE-80816-2 cce@rhel9: CCE-83901-9 cce@sle12: CCE-91472-1 diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 3b09b8a4872..587cd619024 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80133-2 cce@rhel8: CCE-80817-0 cce@rhel9: CCE-83897-9 cce@sle12: CCE-91473-9 diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml index cf955e077ff..48e7a45374c 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80131-6 cce@rhel8: CCE-80818-8 cce@rhel9: CCE-83902-7 cce@sle12: CCE-91583-5 diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 1e2f7f2b017..f0e29be96bb 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80135-7 cce@rhel8: CCE-83497-8 cce@rhel9: CCE-83906-8 cce@sle12: CCE-83073-7 @@ -47,7 +46,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020330 stigid@ol8: OL08-00-010790 - stigid@rhel7: RHEL-07-020330 stigid@rhel8: RHEL-08-010790 stigid@sle12: SLES-12-010700 stigid@sle15: SLES-15-040410 diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index 93ec22b3556..4abe9582832 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80134-0 cce@rhel8: CCE-83499-4 cce@rhel9: CCE-83896-1 cce@sle12: CCE-83072-9 @@ -46,7 +45,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020320 stigid@ol8: OL08-00-010780 - stigid@rhel7: RHEL-07-020320 stigid@rhel8: RHEL-08-010780 stigid@sle12: SLES-12-010690 stigid@sle15: SLES-15-040400 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index 3faae884ca3..3e04870285e 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87198-8 cce@rhel8: CCE-86140-1 cce@rhel9: CCE-86762-2 cce@sle12: CCE-83172-7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml index 5b38b6f00e8..796ea15bee6 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83474-7 cce@rhel8: CCE-83475-4 cce@rhel9: CCE-83928-2 cce@sle12: CCE-91699-9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml index 3a02ed25de7..03a656640c2 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83534-8 cce@rhel8: CCE-83535-5 cce@rhel9: CCE-83951-4 cce@sle12: CCE-92447-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml index 197ba4f8e30..d0189f41eca 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83323-6 cce@rhel8: CCE-83324-4 cce@rhel9: CCE-83933-2 cce@sle12: CCE-91693-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml index 98cfa55fefd..86b6bb0615c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83414-3 cce@rhel8: CCE-83415-0 cce@rhel9: CCE-83938-1 cce@sle12: CCE-91697-3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml index 35df43fbd21..d7d78a2d512 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82037-3 cce@rhel8: CCE-80796-6 cce@rhel9: CCE-83945-6 cce@sle12: CCE-91626-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index 4ac15c18868..85e1f326f3c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82025-8 cce@rhel8: CCE-80797-4 cce@rhel9: CCE-83948-0 cce@sle12: CCE-92225-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml index 8fcb22c7c16..30702ed6ed1 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26639-5 cce@rhel8: CCE-80798-2 cce@rhel9: CCE-83950-6 cce@sle12: CCE-91627-0 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml index 20532dc4a6b..6a92f98df55 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82051-4 cce@rhel8: CCE-80799-0 cce@rhel9: CCE-83930-8 cce@sle12: CCE-91628-8 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml index e10f907ddd4..3ead92feadd 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86624-4 cce@rhel8: CCE-87030-3 cce@rhel9: CCE-90434-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml index c1fcf40cf9b..166cee0757f 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83472-1 cce@rhel8: CCE-83473-9 cce@rhel9: CCE-83944-9 cce@sle12: CCE-91700-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml index f811c1d4ba0..36785bf59d9 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83532-2 cce@rhel8: CCE-83533-0 cce@rhel9: CCE-83929-0 cce@sle12: CCE-92448-0 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml index 65d5b9497a9..7fe6597da22 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83325-1 cce@rhel8: CCE-83326-9 cce@rhel9: CCE-83947-2 cce@sle12: CCE-91694-0 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml index 9014961478b..1f1e31d22a5 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83412-7 cce@rhel8: CCE-83413-5 cce@rhel9: CCE-83949-8 cce@sle12: CCE-91696-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml index fa791f7dd31..f4efea19fef 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82031-6 cce@rhel8: CCE-80801-4 cce@rhel9: CCE-83925-8 cce@sle12: CCE-91665-0 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml index 6bcf5e4247d..5bd1047554d 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82195-9 cce@rhel8: CCE-80802-2 cce@rhel9: CCE-83924-1 cce@sle12: CCE-91557-9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml index 818b30b2b62..15abd75e423 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml @@ -11,7 +11,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82052-2 cce@rhel8: CCE-80803-0 cce@rhel9: CCE-83943-1 cce@sle12: CCE-91666-8 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml index b796ed2bc76..91056880e36 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82022-5 cce@rhel8: CCE-80804-8 cce@rhel9: CCE-83926-6 cce@sle12: CCE-83259-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml index 507ecded3e7..ad54bf8469b 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86622-8 cce@rhel8: CCE-87055-0 cce@rhel9: CCE-90435-9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml index 536cb651c6a..31dbb3e7c28 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83482-0 cce@rhel8: CCE-83483-8 cce@rhel9: CCE-83939-9 cce@sle12: CCE-92201-3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml index 81e55625b87..8a73eda8502 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83572-8 cce@rhel8: CCE-83573-6 cce@rhel9: CCE-83942-3 cce@sle12: CCE-92449-8 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml index 046f971d48d..d823a3bf1df 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83331-9 cce@rhel8: CCE-83332-7 cce@rhel9: CCE-83940-7 cce@sle12: CCE-91695-7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index 88cbd5c28c4..cb8390b8639 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83416-8 cce@rhel8: CCE-83417-6 cce@rhel9: CCE-83935-7 cce@sle12: CCE-91698-1 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml index 8ff1e74e79c..dfdcb91809d 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82032-4 cce@rhel8: CCE-80810-5 cce@rhel9: CCE-83934-0 cce@sle12: CCE-91451-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml index 69061c28bca..dbbed03eeeb 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82192-6 cce@rhel8: CCE-80811-3 cce@rhel9: CCE-83921-7 cce@sle12: CCE-91558-7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml index 37da6682147..12d9ff4755c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82029-0 cce@rhel8: CCE-80812-1 cce@rhel9: CCE-83931-6 cce@sle12: CCE-91452-3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index 15e54252086..cd39172a0cd 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82042-3 cce@rhel8: CCE-80813-9 cce@rhel9: CCE-83941-5 cce@sle12: CCE-91479-6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml index 6079c4ef08e..d71cfb3b332 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86626-9 cce@rhel8: CCE-86634-3 cce@rhel9: CCE-90432-6 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml index 406d08f8f23..c7de9aa0c80 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86322-5 cce@rhel8: CCE-86324-1 cce@rhel9: CCE-86325-8 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml index 031fb6d616a..4f7d3cbc537 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86326-6 cce@rhel8: CCE-86329-0 cce@rhel9: CCE-86330-8 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml index 17e67765927..a11b1324776 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86331-6 cce@rhel8: CCE-86332-4 cce@rhel9: CCE-86337-3 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml index ccd94f4555e..d0a4f602131 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-89014-5 cce@rhel8: CCE-86455-3 cce@rhel9: CCE-86457-9 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml index be0eb09e1f4..badc9b02384 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml @@ -34,7 +34,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-87031-1 cce@rhel8: CCE-86519-6 cce@rhel9: CCE-89442-8 cce@sle12: CCE-83243-6 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml index 146a654ec7c..61ec70be3f9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88959-2 cce@rhel8: CCE-86453-8 cce@rhel9: CCE-86454-6 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index a8a1bab78c2..4a3d7e8b002 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82048-0 cce@rhel8: CCE-80806-3 cce@rhel9: CCE-83908-4 cce@sle12: CCE-83241-0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index 104fe66a58c..ea5574517df 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82021-7 cce@rhel8: CCE-80807-1 cce@rhel9: CCE-83907-6 cce@sle12: CCE-83235-2 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml index 475ce7837b4..e49e3fb3559 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-88909-7 cce@rhel8: CCE-86447-0 cce@rhel9: CCE-86448-8 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index 5744f5ad147..179e15c3e51 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82040-7 cce@rhel8: CCE-80809-7 cce@rhel9: CCE-83911-8 cce@sle12: CCE-83240-2 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index b74b40f9f78..0cf49cda054 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82033-2 cce@rhel8: CCE-80815-4 cce@rhel9: CCE-83909-2 cce@sle12: CCE-83233-7 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml index ac1f1acaee0..1a9c6e20ea5 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Enable Kernel Parameter to Enforce DAC on FIFOs' description: '{{{ describe_sysctl_option_value(sysctl="fs.protected_fifos", value="2") }}}' diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml index 700a0395c98..988183d5bb8 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml @@ -14,7 +14,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82506-7 - cce@rhel7: CCE-81026-7 cce@rhel8: CCE-81027-5 cce@rhel9: CCE-84110-6 cce@sle12: CCE-91559-5 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml index 71e64e91ad0..c3cd7fe09b0 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82507-5 - cce@rhel7: CCE-81029-1 cce@rhel8: CCE-81030-9 cce@rhel9: CCE-83900-1 cce@sle12: CCE-91560-3 diff --git a/linux_os/guide/system/permissions/mounting/bios_assign_password/rule.yml b/linux_os/guide/system/permissions/mounting/bios_assign_password/rule.yml index 20349df853c..afec64fc838 100644 --- a/linux_os/guide/system/permissions/mounting/bios_assign_password/rule.yml +++ b/linux_os/guide/system/permissions/mounting/bios_assign_password/rule.yml @@ -18,7 +18,4 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-27194-0 - platform: machine diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml index 514560793b1..82855550a4c 100644 --- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml +++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml @@ -16,7 +16,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82662-8 - cce@rhel7: CCE-26960-5 references: cis-csc: 12,16 diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/bash/shared.sh b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/bash/shared.sh index 2ebb24af196..d8637f0def7 100644 --- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/bash/shared.sh +++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = multi_platform_fedora # Correct the form of default kernel command line in /etc/default/grub if ! grep -q '^GRUB_CMDLINE_LINUX=".*nousb.*"' /etc/default/grub; diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml index 5ea661d520b..a7b731b8801 100644 --- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml +++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml @@ -18,7 +18,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82661-0 - cce@rhel7: CCE-26548-8 references: cis-csc: 12,16 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml index bf2db68f442..ec1c0e47d63 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml @@ -22,7 +22,6 @@ platform: machine identifiers: cce@rhcos4: CCE-82514-1 - cce@rhel7: CCE-80137-3 cce@rhel8: CCE-81031-7 cce@rhel9: CCE-83853-2 cce@sle12: CCE-92297-1 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml index 0fea3e1753b..99a6f7df228 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml @@ -15,7 +15,6 @@ severity: low identifiers: cce@rhcos4: CCE-82713-9 - cce@rhel7: CCE-80138-1 cce@rhel8: CCE-86615-2 cce@rhel9: CCE-86763-0 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml index 388928502c9..51f2d721287 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml @@ -15,7 +15,6 @@ severity: low identifiers: cce@rhcos4: CCE-82714-7 - cce@rhel7: CCE-80140-7 cce@rhel8: CCE-86616-0 cce@rhel9: CCE-86764-8 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml index 885b14f7400..f808230a2d7 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml @@ -15,7 +15,6 @@ severity: low identifiers: cce@rhcos4: CCE-82715-4 - cce@rhel7: CCE-80141-5 cce@rhel8: CCE-86617-8 cce@rhel9: CCE-86765-5 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml index 2b8c615acd8..3d80a301801 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml @@ -15,7 +15,6 @@ severity: low identifiers: cce@rhcos4: CCE-82716-2 - cce@rhel7: CCE-80139-9 cce@rhel8: CCE-86618-6 cce@rhel9: CCE-86766-3 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml index 1d78680149b..b9c20e75c39 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml @@ -22,7 +22,6 @@ platform: machine identifiers: cce@rhcos4: CCE-82717-0 - cce@rhel7: CCE-80142-3 cce@rhel8: CCE-83498-6 cce@rhel9: CCE-83855-7 cce@sle12: CCE-92298-9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml index 23c9387fd95..5fc52d2a148 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml @@ -23,7 +23,6 @@ platform: machine identifiers: cce@rhcos4: CCE-82718-8 - cce@rhel7: CCE-80143-1 cce@rhel8: CCE-82729-5 cce@rhel9: CCE-83852-4 cce@sle12: CCE-92299-7 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 7e00f95e540..c882736a793 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82719-6 - cce@rhel7: CCE-27277-3 cce@rhel8: CCE-80835-2 cce@rhel9: CCE-83851-6 cce@sle12: CCE-83069-5 @@ -43,7 +42,6 @@ references: srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227,SRG-APP-000141-CTR-000315 stigid@ol7: OL07-00-020100 stigid@ol8: OL08-00-040080 - stigid@rhel7: RHEL-07-020100 stigid@rhel8: RHEL-08-040080 stigid@sle12: SLES-12-010580 stigid@sle15: SLES-15-010480 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_vfat_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_vfat_disabled/rule.yml index 60d15ed2765..5392806bf48 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_vfat_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_vfat_disabled/rule.yml @@ -22,7 +22,6 @@ platform: machine identifiers: cce@rhcos4: CCE-82720-4 - cce@rhel7: CCE-82169-4 cce@rhel8: CCE-82170-2 cce@sle12: CCE-92300-3 cce@sle15: CCE-92454-8 diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 1c010dfcdbf..e99be0bf514 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -25,7 +25,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82663-6 - cce@rhel7: CCE-27498-5 cce@rhel8: CCE-80873-3 cce@rhel9: CCE-83850-8 cce@sle12: CCE-83070-3 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020110 stigid@ol8: OL08-00-040070 - stigid@rhel7: RHEL-07-020110 stigid@rhel8: RHEL-08-040070 stigid@sle12: SLES-12-010590 stigid@sle15: SLES-15-010240 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml index a292ccdfc39..8b98d3df553 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83344-2 cce@rhel8: CCE-83345-9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml index 72b0ff46d54..9a3d06e273b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82135-5 cce@rhel8: CCE-82941-6 cce@rhel9: CCE-83884-7 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml index f017ae25cd1..f3e5fe12821 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83315-2 cce@rhel8: CCE-83316-0 cce@rhel9: CCE-83892-0 cce@sle12: CCE-91541-3 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml index 1bb39096e5d..512896d5f9b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82138-9 cce@rhel8: CCE-81033-3 cce@rhel9: CCE-83877-1 cce@sle12: CCE-91542-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml index 8f73d51d706..962eddaec33 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82867-3 - cce@rhel7: CCE-80152-2 cce@rhel8: CCE-80837-8 cce@rhel9: CCE-83881-3 cce@sle12: CCE-92303-7 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000368-GPOS-00154 stigid@ol7: OL07-00-021024 stigid@ol8: OL08-00-040120 - stigid@rhel7: RHEL-07-021024 stigid@rhel8: RHEL-08-040120 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml index 03bc693177d..03b01b59084 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82868-1 - cce@rhel7: CCE-80153-0 cce@rhel8: CCE-80838-6 cce@rhel9: CCE-83857-3 cce@sle12: CCE-92302-9 @@ -44,7 +43,6 @@ references: srg: SRG-OS-000368-GPOS-00154 stigid@ol7: OL07-00-021024 stigid@ol8: OL08-00-040122 - stigid@rhel7: RHEL-07-021024 stigid@rhel8: RHEL-08-040122 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml index c3c461062f9..211dccdd2c0 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82741-0 - cce@rhel7: CCE-80154-8 cce@rhel8: CCE-80839-4 cce@rhel9: CCE-83891-2 cce@sle12: CCE-92304-5 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000368-GPOS-00154 stigid@ol7: OL07-00-021024 stigid@ol8: OL08-00-040121 - stigid@rhel7: RHEL-07-021024 stigid@rhel8: RHEL-08-040121 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml index 594477c40aa..32c801c5520 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86037-9 cce@rhel8: CCE-86039-5 cce@rhel9: CCE-86042-9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index 4eeeeb70171..0a869521965 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -21,7 +21,6 @@ severity: unknown identifiers: cce@rhcos4: CCE-82740-2 - cce@rhel7: CCE-81047-3 cce@rhel8: CCE-81048-1 cce@rhel9: CCE-83871-4 cce@sle12: CCE-92306-0 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml index 1e498336154..3d255dbbaec 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83327-7 cce@rhel8: CCE-83328-5 cce@rhel9: CCE-83875-5 cce@sle12: CCE-91543-9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index 459a0e374ad..ec85dc1cdfb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-81153-9 cce@rhel8: CCE-81050-7 cce@rhel9: CCE-83894-6 cce@sle12: CCE-83100-8 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021000 stigid@ol8: OL08-00-010570 - stigid@rhel7: RHEL-07-021000 stigid@rhel8: RHEL-08-010570 stigid@sle12: SLES-12-010790 stigid@sle15: SLES-15-040140 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml index 39ce4f2e6a3..b952496bd88 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86034-6 cce@rhel8: CCE-86035-3 cce@rhel9: CCE-86036-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml index 3726a39ace8..3df6dc5748f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml @@ -27,7 +27,6 @@ ocil_clause: "some mounts appear among output lines" severity: medium identifiers: - cce@rhel7: CCE-80145-6 cce@rhel8: CCE-82069-6 cce@rhel9: CCE-83873-0 cce@sle12: CCE-91544-7 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml index af40d2c2b86..74a7c6221c6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml @@ -21,7 +21,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82865-7 - cce@rhel7: CCE-80146-4 cce@rhel8: CCE-82742-8 cce@rhel9: CCE-83856-5 cce@sle12: CCE-92308-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index dac1e7d7957..71d0f00fd4b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82747-7 - cce@rhel7: CCE-80147-2 cce@rhel8: CCE-82746-9 cce@rhel9: CCE-83883-9 cce@sle12: CCE-92307-8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 8b2c88bfffc..036be2220fb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -20,7 +20,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82745-1 - cce@rhel7: CCE-80148-0 cce@rhel8: CCE-82744-4 cce@rhel9: CCE-83874-8 cce@sle12: CCE-83101-6 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021010 stigid@ol8: OL08-00-010620 - stigid@rhel7: RHEL-07-021010 stigid@rhel8: RHEL-08-010620 stigid@sle12: SLES-12-010800 stigid@sle15: SLES-15-040150 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml index 9fa54a68e9f..73c17799e7b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83317-8 cce@rhel8: CCE-83319-4 cce@rhel9: CCE-83880-5 cce@sle12: CCE-91584-3 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml index bcce1e0cb9c..8c6f6be47cf 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml @@ -35,7 +35,6 @@ warnings: severity: low identifiers: - cce@rhel7: CCE-85881-1 cce@rhel8: CCE-85882-9 cce@rhel9: CCE-85883-7 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml index acd37adf9e2..7ca8fb835ea 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83320-2 cce@rhel8: CCE-83322-8 cce@rhel9: CCE-83862-3 cce@sle12: CCE-91585-0 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml index 9338aedd271..36cdbbac9e4 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80149-8 cce@rhel8: CCE-82623-0 cce@rhel9: CCE-83869-8 cce@sle12: CCE-92301-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 56c79354da5..1de05b2eb69 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80150-6 cce@rhel8: CCE-82139-7 cce@rhel9: CCE-83885-4 cce@sle12: CCE-91586-8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index 08290929120..787283bcadb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80151-4 cce@rhel8: CCE-82140-5 cce@rhel9: CCE-83872-2 cce@sle12: CCE-91587-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index ea4dd8c7416..5c8da07fd39 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82079-5 cce@rhel8: CCE-82080-3 cce@rhel9: CCE-83882-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index fce0aef7c4d..3e611b9f008 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82146-2 cce@rhel8: CCE-82975-4 cce@rhel9: CCE-83878-9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index e891b54f6ac..902ccc32cad 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82148-8 cce@rhel8: CCE-82921-8 cce@rhel9: CCE-83893-8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index ecd4d94eb32..f2eade7deb5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82076-1 cce@rhel8: CCE-82077-9 cce@rhel9: CCE-83886-2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index 6aa87c2ac05..454181a58b9 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82142-1 cce@rhel8: CCE-82008-4 cce@rhel9: CCE-83887-0 cce@sle12: CCE-91588-4 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index 488af6a67b8..8a5c2bab056 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82144-7 cce@rhel8: CCE-82065-4 cce@rhel9: CCE-83870-6 cce@sle12: CCE-91589-2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml index 76d0efeb960..6ef1ee07c6e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82064-7 cce@rhel8: CCE-82062-1 cce@rhel9: CCE-83868-0 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml index 94bf2a60ed3..527c10aed74 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83329-3 cce@rhel8: CCE-83330-1 cce@rhel9: CCE-83865-6 cce@sle12: CCE-91590-0 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml index 704627aedc0..369dc8948b8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml @@ -13,7 +13,6 @@ rationale: |- The presence of SUID and SGID executables should be tightly controlled. identifiers: - cce@rhel7: CCE-83378-0 cce@rhel8: CCE-83383-0 cce@rhel9: CCE-83867-2 cce@sle12: CCE-91591-8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml index a70c45359a4..3cb6ff2a449 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml @@ -18,9 +18,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-80155-5 - references: cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index ea4ee4dec99..e5cb7f71e59 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82735-2 - cce@rhel7: CCE-81052-3 cce@rhel8: CCE-82068-8 cce@rhel9: CCE-83864-9 cce@sle12: CCE-92305-2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index d0bf35fb921..8d471801fe2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82866-5 - cce@rhel7: CCE-82150-4 cce@rhel8: CCE-82151-2 cce@rhel9: CCE-83866-4 cce@sle12: CCE-91592-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index 13f644ccc9d..7331e9469c7 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -19,7 +19,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82736-0 - cce@rhel7: CCE-82153-8 cce@rhel8: CCE-82154-6 cce@rhel9: CCE-83863-1 cce@sle12: CCE-91593-4 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml index c1cc421f4a3..fbdb197bf39 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82529-9 - cce@rhel7: CCE-83432-5 cce@rhel8: CCE-82251-0 cce@rhel9: CCE-83984-5 cce@sle12: CCE-92209-6 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml index c025dcf1f8f..ec0d02ab65f 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml @@ -24,7 +24,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82528-1 - cce@rhel7: CCE-83428-3 cce@rhel8: CCE-82252-8 cce@rhel9: CCE-83979-5 cce@sle12: CCE-92210-4 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml index 92b9cc0040d..82235a7aa15 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82526-5 - cce@rhel7: CCE-80169-6 cce@rhel8: CCE-81038-2 cce@rhel9: CCE-83980-3 cce@sle12: CCE-92208-8 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml index 5a66c9530c5..4a0bd4cf810 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26900-1 cce@rhel8: CCE-80912-9 cce@rhel9: CCE-83981-1 cce@sle12: CCE-91561-1 diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh index a51038bb897..c191c94e876 100644 --- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 +# platform = Red Hat Enterprise Linux 8 {{{ bash_instantiate_variables("var_umask_for_daemons") }}} diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml index 1dfd0bb7216..26c664c1c78 100644 --- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml @@ -19,9 +19,6 @@ rationale: |- severity: unknown -identifiers: - cce@rhel7: CCE-27068-6 - references: cis-csc: 12,13,14,15,16,18,3,5 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml index c27a189b286..b68147868f7 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml @@ -32,7 +32,7 @@ reload: yes when: kexec_arch == "b32" -{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15'] %}} - name: Check noexec argument exists command: grep '^GRUB_CMDLINE_LINUX=.*noexec=.*"' /etc/default/grub failed_when: False diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml index 92dc9907df0..7cd2df06da3 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml @@ -28,7 +28,6 @@ severity: medium platform: machine # The oscap sysctl probe doesn't support offline mode identifiers: - cce@rhel7: CCE-27211-2 cce@rhel8: CCE-80914-5 cce@rhel9: CCE-83970-4 cce@sle12: CCE-91562-9 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 5c72d139fd2..ec5b6b32ed4 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -15,7 +15,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82498-7 - cce@rhel7: CCE-80659-6 cce@rhel8: CCE-80915-2 cce@rhel9: CCE-83972-0 cce@sle12: CCE-83125-5 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index 8b7cf77746a..711e4fe47c9 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -16,7 +16,6 @@ severity: medium identifiers: cce@rhcos4: CCE-88128-4 - cce@rhel7: CCE-27127-0 cce@rhel8: CCE-80916-0 cce@rhel9: CCE-83971-2 cce@sle12: CCE-83146-1 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000433-GPOS-00193,SRG-OS-000480-GPOS-00227,SRG-APP-000450-CTR-001105 stigid@ol7: OL07-00-040201 stigid@ol8: OL08-00-010430 - stigid@rhel7: RHEL-07-040201 stigid@rhel8: RHEL-08-010430 stigid@sle12: SLES-12-030330 stigid@sle15: SLES-15-010550 diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml index 04c3eff4569..11e8899effe 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-88129-2 - cce@rhel7: CCE-27099-1 cce@rhel8: CCE-83918-3 cce@rhel9: CCE-88577-2 cce@sle12: CCE-91563-7 diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/rule.yml index a8624717ad0..0b2936b8fd6 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-27116-3 cce@rhel8: CCE-83919-1 cce@sle12: CCE-91564-5 cce@sle15: CCE-91255-0 diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml index 19d939209a5..305118bfbcd 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82158-7 cce@rhel8: CCE-80944-2 cce@rhel9: CCE-83985-2 diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml index 2908f92129f..a32a7f648c5 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82157-9 cce@rhel8: CCE-80945-9 cce@rhel9: CCE-83986-0 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index e8a1368cb3d..0edcdd9fea0 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -13,7 +13,6 @@ severity: low identifiers: cce@rhcos4: CCE-82499-5 - cce@rhel7: CCE-27050-4 cce@rhel8: CCE-80913-7 cce@rhel9: CCE-83952-2 cce@sle12: CCE-91565-2 @@ -27,7 +26,6 @@ references: srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600 stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 - stigid@rhel7: RHEL-07-010375 stigid@rhel8: RHEL-08-010375 stigid@sle12: SLES-12-010375 stigid@sle15: SLES-15-010375 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml index 7950162d8f5..40f8f3dab64 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml @@ -13,7 +13,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82500-0 - cce@rhel7: CCE-81056-4 cce@rhel8: CCE-80952-5 cce@rhel9: CCE-83954-8 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml index 0ffb567d3e0..4b7c5549596 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83392-1 cce@rhel8: CCE-83397-0 cce@rhel9: CCE-83967-0 cce@sle12: CCE-91566-0 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml index b6dc3bde43b..a6a04d2b6ba 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml @@ -16,7 +16,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-90766-7 cce@rhel8: CCE-87666-4 cce@rhel9: CCE-88666-3 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml index dbdb5277edf..0cc37d9bf07 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83369-9 cce@rhel8: CCE-83373-1 cce@rhel9: CCE-83969-6 cce@sle12: CCE-91567-8 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml index 85f7d7ddd93..bac057da89f 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83367-3 cce@rhel8: CCE-83368-1 cce@rhel9: CCE-83962-1 cce@sle12: CCE-91569-4 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml index a35a76356f6..24cff2c107f 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -12,7 +12,6 @@ severity: low identifiers: cce@rhcos4: CCE-82502-6 - cce@rhel7: CCE-81053-1 cce@rhel8: CCE-81054-9 cce@rhel9: CCE-83959-7 cce@sle12: CCE-91568-6 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml index df54e83bd19..dc3c7e8f589 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83365-7 cce@rhel8: CCE-83366-5 cce@rhel9: CCE-83960-5 cce@sle12: CCE-91570-2 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml index 312d1ab0085..b3e77b72988 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83353-3 cce@rhel8: CCE-83355-8 cce@rhel9: CCE-83968-8 cce@sle12: CCE-91571-0 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml index 7fe35df14a5..d88758e2b0e 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml @@ -13,7 +13,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82504-2 - cce@rhel7: CCE-82203-1 cce@rhel8: CCE-82974-7 cce@rhel9: CCE-83957-1 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index 5e169c50500..24465bcad12 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -15,7 +15,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82501-8 - cce@rhel7: CCE-81058-0 cce@rhel8: CCE-80953-3 cce@rhel9: CCE-83965-4 cce@sle12: CCE-91572-8 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml index 18f1f79cfcc..440e938a8bc 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83358-2 cce@rhel8: CCE-83363-2 cce@rhel9: CCE-83958-9 cce@sle12: CCE-91573-6 diff --git a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml index 6532bde7be0..7367ea2b48e 100644 --- a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86272-2 cce@rhel8: CCE-86273-0 cce@rhel9: CCE-86274-8 diff --git a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml index 80205b835c6..9aff4c638e3 100644 --- a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86269-8 cce@rhel8: CCE-86270-6 cce@rhel9: CCE-86271-4 diff --git a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml index 18305c2f85a..9827807b6c8 100644 --- a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86276-3 cce@rhel8: CCE-86278-9 cce@rhel9: CCE-86279-7 diff --git a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml index 0c707002ac4..b6864ca0b8f 100644 --- a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86287-0 cce@rhel8: CCE-86288-8 cce@rhel9: CCE-86289-6 diff --git a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml index da70f065d53..413454652c3 100644 --- a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86284-7 cce@rhel8: CCE-86285-4 cce@rhel9: CCE-86286-2 diff --git a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml index 16a61d461e6..0cabef57e17 100644 --- a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86290-4 cce@rhel8: CCE-86291-2 cce@rhel9: CCE-86293-8 diff --git a/linux_os/guide/system/selinux/group.yml b/linux_os/guide/system/selinux/group.yml index f5a91a95db5..781510630a1 100644 --- a/linux_os/guide/system/selinux/group.yml +++ b/linux_os/guide/system/selinux/group.yml @@ -23,10 +23,7 @@ description: |- default (targeted) policy on every {{{ full_name }}} system, unless that system has unusual requirements which make a stronger policy appropriate. - {{% if product == "rhel7" %}} -

- For more information on SELinux, see {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide") }}}. - {{% elif product == "rhel8" %}} + {{% if product == "rhel8" %}}

For more information on SELinux, see {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux") }}}. {{% elif "ol" in product %}} diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml index 4570d970ad9..560d7551a5f 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml @@ -18,7 +18,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82666-9 - cce@rhel7: CCE-26961-3 cce@rhel8: CCE-80827-9 cce@rhel9: CCE-84078-5 cce@sle15: CCE-91443-2 diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml index 5c470d72fd8..49240d5c189 100644 --- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-82876-4 cce@rhel8: CCE-82877-2 cce@rhel9: CCE-84069-4 cce@sle15: CCE-92490-2 diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml index f8fdb5d73ce..a4234a0c342 100644 --- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80445-0 cce@rhel8: CCE-82756-8 cce@rhel9: CCE-84072-8 diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml index 40f37f68e60..708fd6e76b7 100644 --- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82977-0 cce@rhel8: CCE-82976-2 cce@rhel9: CCE-84071-0 diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml index 02044f4321f..a97c3f8f10b 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml @@ -16,7 +16,6 @@ severity: low identifiers: cce@rhcos4: CCE-84091-8 - cce@rhel7: CCE-84249-2 cce@rhel8: CCE-84250-0 cce@rhel9: CCE-84251-8 cce@sle12: CCE-91582-7 diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml index 7d149a0fa0e..fec4c2a5e87 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml @@ -17,7 +17,6 @@ severity: low identifiers: cce@rhcos4: CCE-84093-4 - cce@rhel7: CCE-83488-7 cce@rhel8: CCE-83490-3 cce@rhel9: CCE-84252-6 cce@sle12: CCE-91580-1 diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml index f3052ccf746..bb5f72ac2cd 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80444-3 cce@rhel8: CCE-82755-0 cce@rhel9: CCE-84073-6 cce@sle12: CCE-91581-9 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_anon_write/rule.yml index 845fc3a0012..ddfc5034f8b 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_anon_write/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_anon_write/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80419-5 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_handle_event/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_handle_event/rule.yml index e42678cadab..d4482ed4c9c 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_handle_event/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_handle_event/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80420-3 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_upload_watch_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_upload_watch_anon_write/rule.yml index 9c9b767e020..5e55f1ce357 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_upload_watch_anon_write/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_abrt_upload_watch_anon_write/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80421-1 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_can_scan_system/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_can_scan_system/rule.yml index 3143afdf732..4c30c0b1186 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_can_scan_system/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_can_scan_system/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80422-9 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_use_jit/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_use_jit/rule.yml index 0316177b770..015d68cc799 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_use_jit/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_antivirus_use_jit/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80423-7 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml index 88640c60ad8..0944a919a4c 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80424-5 cce@rhel8: CCE-84297-1 cce@rhel9: CCE-84090-0 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_nsswitch_use_ldap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_nsswitch_use_ldap/rule.yml index 6cac92fd185..b1c935e21b2 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_nsswitch_use_ldap/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_nsswitch_use_ldap/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80425-2 cce@rhel8: CCE-84296-3 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_radius/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_radius/rule.yml index ee36fd0139a..4bff721fcbf 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_radius/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_radius/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80426-0 cce@rhel8: CCE-84294-8 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_yubikey/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_yubikey/rule.yml index aec8018d60a..f14a5a65362 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_yubikey/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_authlogin_yubikey/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80427-8 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_awstats_purge_apache_log_files/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_awstats_purge_apache_log_files/rule.yml index df2e2739c69..d35b9265c6d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_awstats_purge_apache_log_files/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_awstats_purge_apache_log_files/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80428-6 - references: cui: 3.7.2 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_boinc_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_boinc_execmem/rule.yml index 3d4e46469dc..d8152ccb78a 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_boinc_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_boinc_execmem/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-80429-4 cce@rhel8: CCE-83304-6 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml index 2b02a421301..9621de5ddff 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82284-1 - {{{ complete_ocil_entry_sebool_disabled(sebool="cron_can_relabel") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml index a7eefc4174f..40424174e52 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82285-8 - {{{ complete_ocil_entry_sebool_disabled(sebool="cron_system_cronjob_use_shares") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml index 0a6ca0073ce..fa760af1d3e 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82286-6 - {{{ complete_ocil_entry_sebool_enabled(sebool="cron_userdomain_transition") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml index 25c7ae8ee72..2e5c4c765a6 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82287-4 - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_dump_core") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml index ad11b2208cc..b5d75809ada 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82288-2 - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tcp_wrapper") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml index c8bc52dc9d7..6917e844cb0 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82289-0 - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tty") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml index 527990072d7..efe5610f18f 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82290-8 cce@rhel8: CCE-83307-9 cce@rhel9: CCE-84082-7 cce@sle12: CCE-91575-1 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml index bc5b9824603..4d4346d5715 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82291-6 - {{{ complete_ocil_entry_sebool_disabled(sebool="deny_ptrace") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml index 69bcf2d10f3..5239b6b356d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82292-4 - {{{ complete_ocil_entry_sebool_enabled(sebool="domain_fd_use") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml index 85140b469bc..11b6b0ec5be 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82293-2 - {{{ complete_ocil_entry_sebool_disabled(sebool="domain_kernel_load_modules") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_fips_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_fips_mode/rule.yml index 0621c875f89..aba126859c4 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_fips_mode/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_fips_mode/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-80418-7 - references: cis-csc: '13' cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml index 887f5c9d6f6..3c896f56a61 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82294-0 - {{{ complete_ocil_entry_sebool_disabled(sebool="gpg_web_anon_write") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml index c9954a2a219..67e213f5b42 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82295-7 - {{{ complete_ocil_entry_sebool_disabled(sebool="guest_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml index 0e371b3f54f..b505ebab316 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml @@ -14,7 +14,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-82296-5 cce@rhel8: CCE-84293-0 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml index cf34f53e04f..7441efb9e1d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82298-1 - {{{ complete_ocil_entry_sebool_enabled(sebool="logadm_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml index f3e61d1874b..e4420d9277e 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82299-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="logging_syslogd_can_sendmail") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml index eb3291c83b7..ae184a6ee5f 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82300-5 - {{{ complete_ocil_entry_sebool_enabled(sebool="logging_syslogd_use_tty") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml index 23f26e247ca..5c9c60646e4 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82301-3 - {{{ complete_ocil_entry_sebool_enabled(sebool="login_console_enabled") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml index aba5735b13d..074d6401a0d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82302-1 - {{{ complete_ocil_entry_sebool_disabled(sebool="mmap_low_allowed") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml index 68cee81ac4e..96e40cfb735 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82303-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="mock_enable_homedirs") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml index e6d73180e6f..a8245a9ff15 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82304-7 - {{{ complete_ocil_entry_sebool_enabled(sebool="mount_anyfile") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml index f6293fa4c00..174e5745e0e 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-82305-4 cce@rhel8: CCE-84230-2 cce@rhel9: CCE-84083-5 cce@sle12: CCE-91579-3 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml index 63ba4e4c2e5..3c2f0095e23 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82306-2 - {{{ complete_ocil_entry_sebool_enabled(sebool="secadm_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml index 7a39d8fc40b..86e496e5b1a 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82307-0 - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml index d5ec3289fed..bef942d5fe7 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml @@ -14,7 +14,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-82308-8 cce@rhel8: CCE-83310-3 cce@rhel9: CCE-84087-6 cce@sle12: CCE-91576-9 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml index 420e4cb8284..6655947a7b4 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82310-4 - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_policyload") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml index 55d8d4059ca..8e57a04c65f 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82311-2 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_direct_dri_enabled") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml index b03712a1fb1..a68184eab94 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82312-0 cce@rhel8: CCE-80949-1 cce@rhel9: CCE-84084-3 cce@sle12: CCE-91577-7 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml index eb715593e4a..8d60a8b77c1 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-82313-8 cce@rhel8: CCE-80950-9 cce@rhel9: CCE-84086-8 cce@sle15: CCE-91423-4 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml index f14f3c3f8b6..288d89355ea 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82314-6 cce@rhel8: CCE-80951-7 cce@rhel9: CCE-84089-2 cce@sle12: CCE-91578-5 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml index ecabc637443..aa84c635e37 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82317-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_mysql_connect_enabled") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml index 95b8c3375ac..2f9e9faa101 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82318-7 - {{{ complete_ocil_entry_sebool_enabled(sebool="selinuxuser_ping") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml index ff953f1a17c..8573f8ad38a 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82319-5 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_postgresql_connect_enabled") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml index 93a8e4de948..616446823ed 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82320-3 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_rw_noexattrfile") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml index 0d3f8b21d3e..490b1042fd0 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82321-1 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_share_music") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml index fe46184c1bd..485916dddfd 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82322-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_tcp_server") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml index bfaea11cac2..01756b4ce84 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82323-7 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_udp_server") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml index 676bce26cd7..c47dc494f17 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82324-5 - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_use_ssh_chroot") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml index ba08da9e1ef..d9ea2760608 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82325-2 - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_chroot_rw_homedirs") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml index 1dff0afef19..64401275897 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82326-0 - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_keysign") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml index 473f1eedc88..acc738374c5 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml @@ -24,12 +24,10 @@ references: disa: CCI-002165,CCI-002235 srg: SRG-OS-000324-GPOS-00125 stigid@ol7: OL07-00-020022 - stigid@rhel7: RHEL-07-020022 severity: medium identifiers: - cce@rhel7: CCE-82327-8 cce@rhel8: CCE-83311-1 cce@rhel9: CCE-84081-9 cce@sle12: CCE-91574-4 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml index 1feb45ee358..e0120e40cf1 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82328-6 - {{{ complete_ocil_entry_sebool_enabled(sebool="staff_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml index 5e5279ea51c..1a10db68ef3 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82329-4 - {{{ complete_ocil_entry_sebool_enabled(sebool="sysadm_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml index 3dcb65e82ac..f500a93e396 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82330-2 - {{{ complete_ocil_entry_sebool_enabled(sebool="unconfined_login") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml index 8708cfa1bd3..5fb798f3bb3 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82331-0 - {{{ complete_ocil_entry_sebool_disabled(sebool="use_ecryptfs_home_dirs") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml index 835a3caf140..c243ce50ecb 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82332-8 - {{{ complete_ocil_entry_sebool_enabled(sebool="user_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml index adaa71f5767..c319a1724cf 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82333-6 - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_bind_vnc_tcp_port") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml index fdc28b47b95..7b5d6e8a0de 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82334-4 - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_exec_bootloader") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml index fee3f9766a5..c6606de6dc0 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82335-1 - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_sysadm_login") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml index fa536c6cd6e..5a1f5bb1a23 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82336-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_write_home") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml index 644da76c976..0e13bd602c5 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82337-7 - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_connect_network") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml index d445595a38e..36e1b4ca5c1 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82338-5 - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_exec_content") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml index 7fbb5f277e9..1061d7ad5c4 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82339-3 - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_mount_media") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml index 10d12c958c1..6552a0dd937 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml @@ -13,9 +13,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82340-1 - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_use_bluetooth") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml index 6d16f2f00e4..a47a4deab27 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82341-9 - {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_clients_write_xshm") }}} template: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml index 84737f044e3..f9318b4cc94 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml @@ -13,7 +13,6 @@ rationale: "" severity: medium identifiers: - cce@rhel7: CCE-82342-7 cce@rhel8: CCE-83313-7 diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml index 929e1e3e4d4..8c88399e018 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml @@ -12,9 +12,6 @@ rationale: "" severity: medium -identifiers: - cce@rhel7: CCE-82346-8 - {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_object_manager") }}} template: diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml index 28b2ad0e9a4..7c05868672f 100644 --- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27326-8 cce@rhel8: CCE-80866-7 cce@rhel9: CCE-85920-7 @@ -39,7 +38,6 @@ references: nist-csf: DE.CM-1,DE.CM-7,PR.AC-4,PR.DS-5,PR.IP-1,PR.IP-3,PR.PT-1,PR.PT-3 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020900 - stigid@rhel7: RHEL-07-020900 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/selinux/selinux_confine_to_least_privilege/rule.yml b/linux_os/guide/system/selinux/selinux_confine_to_least_privilege/rule.yml index 383a8eaa709..fc2c6f28db1 100644 --- a/linux_os/guide/system/selinux/selinux_confine_to_least_privilege/rule.yml +++ b/linux_os/guide/system/selinux/selinux_confine_to_least_privilege/rule.yml @@ -26,15 +26,11 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86544-4 - references: disa: CCI-002165,CCI-002235 nist: AC-3(4),AC-6(10) srg: SRG-OS-000324-GPOS-00125 stigid@ol7: OL07-00-020021 - stigid@rhel7: RHEL-07-020021 ocil_clause: 'selinux users are not confined to least privilege' diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml index d59d090adcb..0b6f0428c7a 100644 --- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml @@ -21,7 +21,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82688-3 - cce@rhel7: CCE-27288-0 cce@rhel8: CCE-80867-5 cce@rhel9: CCE-84075-1 cce@sle15: CCE-91444-0 diff --git a/linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/rule.yml b/linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/rule.yml index c3c2cc0311a..1ca1ee38a54 100644 --- a/linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/rule.yml +++ b/linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/rule.yml @@ -27,15 +27,11 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86020-5 - references: disa: CCI-002165,CCI-002235 nist: AC-3(4),AC-6(10) srg: SRG-OS-000324-GPOS-00125 stigid@ol7: OL07-00-020023 - stigid@rhel7: RHEL-07-020023 ocil_clause: 'selinux context does not elevate when running sudo command' diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml index 41136c01eb3..776da8ef5d0 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-87213-5 cce@rhel8: CCE-86151-8 cce@rhel9: CCE-86152-6 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 6b2a7b48048..b03c5ead715 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -28,7 +28,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82532-3 - cce@rhel7: CCE-27279-9 cce@rhel8: CCE-80868-3 cce@rhel9: CCE-84074-4 cce@sle12: CCE-91547-0 @@ -50,7 +49,6 @@ references: srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585 stigid@ol7: OL07-00-020220 stigid@ol8: OL08-00-010450 - stigid@rhel7: RHEL-07-020220 stigid@rhel8: RHEL-08-010450 ocil_clause: 'the loaded policy name is not "{{{ xccdf_value("var_selinux_policy_name") }}}"' diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index fab00e74ad5..484f98ae034 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -21,7 +21,6 @@ severity: high identifiers: cce@rhcos4: CCE-82531-5 - cce@rhel7: CCE-27334-2 cce@rhel8: CCE-80869-1 cce@rhel9: CCE-84079-3 cce@sle12: CCE-91545-4 @@ -43,7 +42,6 @@ references: srg: SRG-OS-000445-GPOS-00199,SRG-OS-000134-GPOS-00068 stigid@ol7: OL07-00-020210 stigid@ol8: OL08-00-010170 - stigid@rhel7: RHEL-07-020210 stigid@rhel8: RHEL-08-010170 ocil_clause: 'SELINUX is not set to enforcing' diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml index b9bd06bcdcc..27e69b5feac 100644 --- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml @@ -32,7 +32,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80543-2 cce@rhel8: CCE-86353-0 references: @@ -40,7 +39,6 @@ references: srg: SRG-OS-000324-GPOS-00125 stigid@ol7: OL07-00-020020 stigid@ol8: OL08-00-040400 - stigid@rhel7: RHEL-07-020020 stigid@rhel8: RHEL-08-040400 ocil_clause: 'non-admin users are not confined correctly' diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index 04eb7884bb4..807f2a96b4e 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -40,8 +40,6 @@ description: |- {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} {{% elif 'ubuntu' in product %}} {{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}} - {{% elif product == "rhel7" %}} - {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}} {{% elif product == "fedora" %}} {{{ weblink(link="https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/") }}} {{% else %}} @@ -56,7 +54,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27128-8 cce@rhel8: CCE-80789-1 cce@rhel9: CCE-90849-1 cce@sle12: CCE-83046-3 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml index a29617936dd..f2e0feb48de 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml @@ -19,7 +19,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-83333-5 cce@rhel8: CCE-83336-8 cce@sle12: CCE-91484-6 cce@sle15: CCE-91176-8 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml index 16e7ed13a67..b5639144edf 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-86281-3 cce@rhel8: CCE-86282-1 cce@rhel9: CCE-86283-9 cce@sle12: CCE-92319-3 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index af2323216e7..cca6c01559e 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -18,7 +18,6 @@ severity: low identifiers: cce@rhcos4: CCE-82739-4 - cce@rhel7: CCE-80144-9 cce@rhel8: CCE-81044-0 cce@rhel9: CCE-83468-9 cce@sle12: CCE-83152-9 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021310 stigid@ol8: OL08-00-010800 - stigid@rhel7: RHEL-07-021310 stigid@rhel8: RHEL-08-010800 stigid@sle12: SLES-12-010850 stigid@sle15: SLES-15-040200 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml index 1bc1d5716b6..d37eccfe497 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml @@ -18,7 +18,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-83339-2 cce@rhel8: CCE-83340-0 cce@sle12: CCE-91485-3 cce@sle15: CCE-91177-6 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml index 593a453ac5a..d2c9136c3c9 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml @@ -21,7 +21,6 @@ platform: machine identifiers: - cce@rhel7: CCE-83376-4 cce@rhel8: CCE-83387-1 cce@rhel9: CCE-90846-7 cce@sle12: CCE-91486-1 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml index 7256a515b6f..fdfdc366ecc 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82053-0 cce@rhel8: CCE-80851-9 cce@rhel9: CCE-90845-9 cce@sle12: CCE-91487-9 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021340 stigid@ol8: OL08-00-010543 - stigid@rhel7: RHEL-07-021340 stigid@rhel8: RHEL-08-010543 {{{ complete_ocil_entry_separate_partition(part="/tmp") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml index 589dcb65d07..905c67adc16 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml @@ -17,7 +17,6 @@ severity: medium platform: machine identifiers: - cce@rhel7: CCE-83342-6 cce@rhel8: CCE-83343-4 cce@sle12: CCE-91488-7 cce@sle15: CCE-91180-0 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index e81fc09419e..49b7570e611 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82014-2 cce@rhel8: CCE-80852-7 cce@rhel9: CCE-83466-3 cce@sle12: CCE-83153-7 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021320 stigid@ol8: OL08-00-010540 - stigid@rhel7: RHEL-07-021320 stigid@rhel8: RHEL-08-010540 stigid@sle12: SLES-12-010860 stigid@sle15: SLES-15-040210 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index 04890f4b835..a5627ed0a37 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -15,7 +15,6 @@ severity: low identifiers: cce@rhcos4: CCE-82737-8 - cce@rhel7: CCE-82034-0 cce@rhel8: CCE-80853-5 cce@rhel9: CCE-90848-3 cce@sle12: CCE-91489-5 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index e874b23cf8a..b104e55d90a 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -19,7 +19,6 @@ severity: low identifiers: cce@rhcos4: CCE-82738-6 - cce@rhel7: CCE-82035-7 cce@rhel8: CCE-80854-3 cce@rhel9: CCE-90847-5 cce@sle12: CCE-83154-5 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000341-GPOS-00132,SRG-OS-000480-GPOS-00227,SRG-APP-000357-CTR-000800 stigid@ol7: OL07-00-021330 stigid@ol8: OL08-00-010542 - stigid@rhel7: RHEL-07-021330 stigid@rhel8: RHEL-08-010542 stigid@sle12: SLES-12-010870 stigid@sle15: SLES-15-030810 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index 65e4fed4dd3..ed00e550313 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -17,7 +17,6 @@ severity: medium identifiers: cce@rhcos4: CCE-82734-5 - cce@rhel7: CCE-82353-4 cce@rhel8: CCE-82730-3 cce@rhel9: CCE-83487-9 cce@sle12: CCE-91490-3 diff --git a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml index 2c65aa7cbb5..fbdc0a7f0df 100644 --- a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-86889-3 cce@rhel8: CCE-86890-1 cce@rhel9: CCE-86891-9 diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml index 3f47d38ccbe..f092bfd498e 100644 --- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-81004-4 cce@rhel8: CCE-81003-6 cce@rhel9: CCE-87295-2 cce@sle12: CCE-83182-6 diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml index f48d02f059b..1b8cbe149a7 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml @@ -42,7 +42,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27446-4 cce@rhel9: CCE-88767-9 cce@sle12: CCE-83006-7 cce@sle15: CCE-83267-5 diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml index b316ab55bc2..cfd7196fbae 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80107-6 cce@rhel9: CCE-86315-9 references: diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml index 4cca435a661..3e92e9df565 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80106-8 cce@rhel8: CCE-86195-5 cce@rhel9: CCE-88285-2 cce@sle12: CCE-92346-6 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010063 stigid@ol8: OL08-00-020032 - stigid@rhel7: RHEL-07-010063 stigid@rhel8: RHEL-08-020032 ocil_clause: 'disable-user-list has not been configured or is not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml index d1aa0eb7471..850f7c3146e 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80108-4 cce@rhel9: CCE-86580-8 references: @@ -35,7 +34,6 @@ references: pcidss: Req-8.3 srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@ol7: OL07-00-010061 - stigid@rhel7: RHEL-07-010061 ocil_clause: 'enable-smartcard-authentication has not been configured or is disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml index aba167a8f16..5d5176f1bdb 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80109-2 cce@rhel8: CCE-80771-9 cce@rhel9: CCE-87638-3 diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml index 73002177c26..5d76407b39d 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80104-3 cce@rhel8: CCE-80823-8 cce@rhel9: CCE-89663-9 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000480-GPOS-00229 stigid@ol7: OL07-00-010440 stigid@ol8: OL08-00-010820 - stigid@rhel7: RHEL-07-010440 stigid@rhel8: RHEL-08-010820 ocil_clause: 'GDM allows users to automatically login' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/bash/shared.sh index 0fa83b2692d..52d6589cb5b 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol if rpm --quiet -q gdm then diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml index a014c8053ad..e46ffa83019 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80105-0 cce@rhel8: CCE-80824-6 references: @@ -35,7 +34,6 @@ references: ospp: FIA_UAU.1 srg: SRG-OS-000480-GPOS-00229 stigid@ol7: OL07-00-010450 - stigid@rhel7: RHEL-07-010450 ocil_clause: 'GDM allows a guest to login without credentials' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml index bc838b9eaf9..bb5a6ce62d8 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-83433-3 cce@rhel8: CCE-86007-2 cce@rhel9: CCE-86033-8 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml index 16b727a34c5..d10a8fad3fe 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80122-5 cce@rhel8: CCE-89904-7 cce@rhel9: CCE-87734-0 @@ -43,7 +42,6 @@ references: nist-csf: PR.AC-3,PR.AC-6 srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020111 - stigid@rhel7: RHEL-07-020111 ocil_clause: 'GNOME automounting is not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml index e96590e6b4c..f7af02988eb 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83692-4 cce@rhel8: CCE-83693-2 cce@rhel9: CCE-90128-0 @@ -44,7 +43,6 @@ references: nist-csf: PR.AC-3,PR.AC-6 srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020111 - stigid@rhel7: RHEL-07-020111 ocil_clause: 'GNOME automounting is not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml index 3e08f2c9c51..ee35b8129ae 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-83741-9 cce@rhel8: CCE-83742-7 cce@rhel9: CCE-90257-7 @@ -44,7 +43,6 @@ references: nist-csf: PR.AC-3,PR.AC-6 srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020111 - stigid@rhel7: RHEL-07-020111 ocil_clause: 'GNOME autorun is not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml index 8cb6a427d44..d398da0661f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: unknown identifiers: - cce@rhel7: CCE-80123-3 cce@rhel9: CCE-88714-1 references: diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml index 8ade25ebb5b..3511bab2ab6 100644 --- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80118-3 cce@rhel9: CCE-86409-0 references: diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml index e7212ced859..95bcdc45303 100644 --- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80119-1 cce@rhel9: CCE-87894-2 references: diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml index cc7579539c9..94e64677715 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80120-9 cce@rhel8: CCE-80772-7 cce@rhel9: CCE-87524-5 cce@sle15: CCE-85777-1 diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml index 1bd43a35ae9..f6a4572b1a5 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml @@ -24,7 +24,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80121-7 cce@rhel8: CCE-80773-5 cce@rhel9: CCE-88756-2 cce@sle15: CCE-85822-5 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml index a3fa8f1b0db..1239974045d 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml @@ -31,7 +31,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80111-8 cce@rhel8: CCE-80774-3 cce@rhel9: CCE-87755-5 cce@sle12: CCE-92219-5 @@ -52,7 +51,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-010100 - stigid@rhel7: RHEL-07-010100 ocil_clause: 'idle-activation-enabled is not enabled or configured' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml index 69ef9669006..2e8a979528f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80564-8 cce@rhel8: CCE-83858-1 cce@rhel9: CCE-86819-0 @@ -37,7 +36,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-010101 - stigid@rhel7: RHEL-07-010101 ocil_clause: 'idle-activation-enabled is not locked' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index 2b869894fee..a9f58f039b0 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80110-0 cce@rhel8: CCE-80775-0 cce@rhel9: CCE-86510-5 cce@sle12: CCE-83010-9 @@ -47,7 +46,6 @@ references: srg: SRG-OS-000029-GPOS-00010,SRG-OS-000031-GPOS-00012 stigid@ol7: OL07-00-010070 stigid@ol8: OL08-00-020060 - stigid@rhel7: RHEL-07-010070 stigid@rhel8: RHEL-08-020060 stigid@sle12: SLES-12-010080 stigid@sle15: SLES-15-010120 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml index 5c05b158d78..c84243da683 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80370-0 cce@rhel8: CCE-80776-8 cce@rhel9: CCE-86954-5 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000029-GPOS-00010,SRG-OS-000031-GPOS-00012 stigid@ol7: OL07-00-010110 stigid@ol8: OL08-00-020031 - stigid@rhel7: RHEL-07-010110 stigid@rhel8: RHEL-08-020031 stigid@ubuntu2204: UBTU-22-271025 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index 73d78790943..f94a32811d0 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -31,7 +31,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80112-6 cce@rhel8: CCE-80777-6 cce@rhel9: CCE-89302-4 cce@sle12: CCE-83222-0 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@ol7: OL07-00-010060 stigid@ol8: OL08-00-020030,OL08-00-020082 - stigid@rhel7: RHEL-07-010060 stigid@rhel8: RHEL-08-020030 stigid@sle12: SLES-12-010060 stigid@sle15: SLES-15-010100 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml index f263324e7ab..937102b3f0f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80563-0 cce@rhel8: CCE-87261-4 cce@rhel9: CCE-90150-4 @@ -37,7 +36,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@ol7: OL07-00-010062 - stigid@rhel7: RHEL-07-010062 stigid@rhel8: RHEL-08-020082 ocil_clause: 'screensaver locking is not locked' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml index b6f85481045..1b5325ca0db 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml @@ -46,7 +46,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80113-4 cce@rhel8: CCE-80778-4 cce@rhel9: CCE-88733-1 cce@sle12: CCE-83221-2 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml index 77d7bc300d7..d9a5eff6657 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80114-2 cce@rhel8: CCE-80779-2 cce@rhel9: CCE-87468-5 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml index c5918b5240e..a61a4b89024 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80371-8 cce@rhel8: CCE-80780-0 cce@rhel9: CCE-87491-7 @@ -39,7 +38,6 @@ references: srg: SRG-OS-000029-GPOS-00010,SRG-OS-000031-GPOS-00012 stigid@ol7: OL07-00-010081 stigid@ol8: OL08-00-020080 - stigid@rhel7: RHEL-07-010081 stigid@rhel8: RHEL-08-020080 ocil_clause: 'GNOME3 session settings are not locked or configured properly' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml index aa5afe29156..56db9d4355d 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80544-0 cce@rhel8: CCE-80781-8 cce@rhel9: CCE-85971-0 cce@sle12: CCE-91636-1 @@ -42,7 +41,6 @@ references: srg: SRG-OS-000029-GPOS-00010,SRG-OS-000031-GPOS-00012 stigid@ol7: OL07-00-010082 stigid@ol8: OL08-00-020081 - stigid@rhel7: RHEL-07-010082 stigid@rhel8: RHEL-08-020081 stigid@sle12: SLES-12-010080 stigid@sle15: SLES-15-010120 diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml index 92adbc9017c..b598d753ff3 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80124-1 cce@rhel8: CCE-84028-0 cce@rhel9: CCE-88653-1 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020231 stigid@ol8: OL08-00-040171 - stigid@rhel7: RHEL-07-020231 stigid@rhel8: RHEL-08-040171 stigid@ubuntu2004: UBTU-20-010459 stigid@ubuntu2204: UBTU-22-271030 diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml index 3ae83813686..96dba740b07 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml @@ -31,7 +31,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80117-5 cce@rhel9: CCE-85903-3 ocil_clause: 'geolocation is enabled and not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml index afb354f2e09..3fa05c18c0a 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80116-7 cce@rhel9: CCE-87338-0 ocil_clause: 'power settings are enabled and are not disabled' diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml index bf89b8f5234..bc565133d48 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml @@ -28,7 +28,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80115-9 cce@rhel8: CCE-80769-3 cce@rhel9: CCE-88185-4 diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml index 542b4c0a503..f13f4eec231 100644 --- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml @@ -26,7 +26,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82348-4 cce@rhel8: CCE-82367-4 cce@rhel9: CCE-83549-6 cce@sle12: CCE-92352-4 diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml index 68f81619efc..760d8a54697 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml @@ -4,7 +4,6 @@ The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. ") }}} - diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml index 744b4c373db..7f48fea7271 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml @@ -7,10 +7,7 @@ description: |- To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. -{{% if product in ["rhel7"] %}} - Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise - Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards. -{{% elif product in ["sle12", "sle15"] %}} +{{% if product in ["sle12", "sle15"] %}} SUSE Enterprise Linux is supported by SUSE Software Solutions Germany GmbH. As the SUSE Enterprise Linux vendor, SUSE Software Solutions Germany GmbH is responsible for maintaining government certifications and standards. @@ -60,7 +57,6 @@ warnings: severity: high identifiers: - cce@rhel7: CCE-80657-0 cce@rhel8: CCE-80830-3 cce@sle12: CCE-83037-2 @@ -75,9 +71,7 @@ ocil_clause: 'the installed operating system is not FIPS 140-2 certified' ocil: |- To verify that the installed operating system is supported or certified, run the following command: -{{% if product in ["rhel7"] %}} -
$ grep -i "red hat" /etc/redhat-release
-{{% elif product == "ol7" %}} +{{% if product == "ol7" %}}
$ grep -i "oracle" /etc/oracle-release
{{% elif product in ["sle12", "sle15"] %}}
$ grep -i "suse" /etc/os-release
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index 7ef0e59925c..a1925ac3b99 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -4,7 +4,6 @@ The operating system installed on the system is supported by a vendor that provides security patches. ") }}} - diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index c6f87fb5b6a..76c35c3ad64 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -30,7 +30,6 @@ warnings: severity: high identifiers: - cce@rhel7: CCE-82371-6 cce@rhel8: CCE-80947-5 cce@rhel9: CCE-83453-1 cce@sle12: CCE-83001-8 @@ -47,7 +46,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020250 stigid@ol8: OL08-00-010000 - stigid@rhel7: RHEL-07-020250 stigid@rhel8: RHEL-08-010000 stigid@sle12: SLES-12-010000 stigid@sle15: SLES-15-010000 diff --git a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml index c3945bd9bf7..cdfec5043ee 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27078-5 cce@rhel8: CCE-80787-5 cce@sle12: CCE-92211-2 cce@sle15: CCE-91341-8 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml index 9994a3cc884..a70ee4ec4cf 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-27140-3 cce@rhel8: CCE-83879-7 references: @@ -36,7 +35,6 @@ references: nist-csf: DE.CM-4,DE.DP-3,PR.DS-1 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-032000 - stigid@rhel7: RHEL-07-032000 ocil_clause: 'there is no anti-virus solution installed on the system' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml index d25a73464d5..72d40eeadad 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml @@ -19,7 +19,6 @@ conflicts: - selinux_state identifiers: - cce@rhel7: CCE-26818-5 cce@rhel8: CCE-80831-1 cce@rhel9: CCE-88837-0 cce@sle12: CCE-92218-7 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/rule.yml index e4905b31a7f..a26aab813b1 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80127-4 cce@sle12: CCE-92354-0 references: @@ -28,7 +27,6 @@ references: nist: CM-6(a),SC-28,SI-3(a) nist-csf: DE.CM-4,DE.DP-3,PR.DS-1 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: RHEL-07-032000 stigid@sle12: SLES-12-030611 ocil_clause: 'virus scanning software is not installed or running' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/rule.yml index b9f3f227dcf..976ff3d261e 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/rule.yml @@ -12,9 +12,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80367-6 - ocil_clause: 'the HBSS HIPS module is not installed' ocil: |- diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/rule.yml index 83afbe92854..ca528a00993 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/rule.yml @@ -11,9 +11,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80129-0 - references: cis-csc: 12,13,14,4,7,8 cobit5: APO01.06,APO13.02,BAI02.01,BAI06.01,DSS04.07,DSS05.01,DSS05.02,DSS05.03,DSS06.06 @@ -24,7 +21,6 @@ references: nist: CM-6(a),SC-28,SI-3(a),SI-3(b),SI-3(2) nist-csf: DE.CM-4,DE.DP-3,PR.DS-1 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: RHEL-07-032010 ocil_clause: 'signatures are out of date' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml index a678a64d64f..8e55e3f66b3 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86262-3 cce@rhel8: CCE-86261-5 cce@rhel9: CCE-88806-5 cce@sle12: CCE-92348-2 @@ -27,7 +26,6 @@ references: srg: SRG-OS-000191-GPOS-00080 stigid@ol7: OL07-00-020019 stigid@ol8: OL08-00-010001 - stigid@rhel7: RHEL-07-020019 stigid@rhel8: RHEL-08-010001 stigid@sle12: SLES-12-010599 stigid@sle15: SLES-15-010001 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml index 003163e10ec..823902944d8 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86257-3 cce@rhel8: CCE-86260-7 cce@rhel9: CCE-86236-7 cce@sle12: CCE-92347-4 @@ -35,7 +34,6 @@ references: srg: SRG-OS-000191-GPOS-00080 stigid@ol7: OL07-00-020019 stigid@ol8: OL08-00-010001 - stigid@rhel7: RHEL-07-020019 stigid@rhel8: RHEL-08-010001 stigid@sle12: SLES-12-010599 stigid@sle15: SLES-15-010001 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml index e19160b646a..024f3a69486 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml @@ -13,9 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80126-6 - references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cobit5: APO01.06,APO07.06,APO08.04,APO10.05,APO11.06,APO12.01,APO12.02,APO12.03,APO12.04,APO12.06,APO13.01,APO13.02,BAI08.02,BAI08.04,DSS01.03,DSS01.05,DSS02.04,DSS02.05,DSS02.07,DSS03.01,DSS03.04,DSS03.05,DSS04.05,DSS05.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.01,DSS06.02,MEA03.03,MEA03.04 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml index 9936eef27e6..f0dac09f519 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml @@ -13,9 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80369-2 - references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cobit5: APO01.06,APO07.06,APO08.04,APO10.05,APO11.06,APO12.01,APO12.02,APO12.03,APO12.04,APO12.06,APO13.01,APO13.02,BAI08.02,BAI08.04,DSS01.03,DSS01.05,DSS02.04,DSS02.05,DSS02.07,DSS03.01,DSS03.04,DSS03.05,DSS04.05,DSS05.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.01,DSS06.02,MEA03.03,MEA03.04 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml index be1015f638e..b30516676ae 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80368-4 cce@rhel9: CCE-89466-7 cce@sle12: CCE-91650-2 cce@sle15: CCE-91291-5 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled/rule.yml index 95853341291..7f498028334 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled/rule.yml @@ -14,9 +14,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80128-2 - references: cis-csc: 12,13,14,4,7,8 cobit5: APO01.06,APO13.02,BAI02.01,BAI06.01,DSS04.07,DSS05.01,DSS05.02,DSS05.03,DSS06.06 diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda index 2dd06202b30..5abb69fe5b6 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# platform = Oracle Linux 7 package --add=dracut-fips --add=dracut-fips-aesni diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml index 3af960a3698..1f2a179d249 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 # reboot = true # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh index a1590e32729..18a6f83006a 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7 +# platform = Oracle Linux 7 {{{ bash_disable_prelink() }}} diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 8735e0b591b..4cecedc1549 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -31,9 +31,6 @@ severity: high platforms: - grub2 -identifiers: - cce@rhel7: CCE-80359-3 - references: cis-csc: 12,15,8 cjis: 5.10.1.2 @@ -48,7 +45,6 @@ references: nist-csf: PR.AC-3,PR.PT-4 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000185-GPOS-00079,SRG-OS-000396-GPOS-00176,SRG-OS-000405-GPOS-00184,SRG-OS-000478-GPOS-00223 stigid@ol7: OL07-00-021350 - stigid@rhel7: RHEL-07-021350 ocil_clause: 'FIPS is not configured or enabled in grub' diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/anaconda/shared.anaconda index 1e8d528828c..be9d0f43564 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/anaconda/shared.anaconda +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# platform = Oracle Linux 7 package --add=dracut-fips-aesni diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml index 7c3e3c4f416..47f1fadda95 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,Red Hat OpenShift Container Platform 4 +# platform = Oracle Linux 7,Red Hat Virtualization 4,Red Hat OpenShift Container Platform 4 # reboot = false # strategy = enable # complexity = low diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/bash/shared.sh index 75a5f6eb5b7..cefe4293663 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,Red Hat OpenShift Container Platform 4 +# platform = Oracle Linux 7,Red Hat Virtualization 4,Red Hat OpenShift Container Platform 4 if grep -q -m1 -o aes /proc/cpuinfo; then {{{ bash_package_install("dracut-fips-aesni") | indent(4) }}} diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml index a677bcf8455..a38ce3b58c3 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml @@ -17,9 +17,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-90778-2 - references: cis-csc: 12,15,8 cjis: 5.10.1.2 diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml index d88f52f331e..c9752bcb350 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml @@ -16,9 +16,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-80358-5 - references: cis-csc: 12,15,8 cjis: 5.10.1.2 diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index d9372300575..0d3197401de 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -24,7 +24,6 @@ severity: high platform: machine # The oscap sysctl probe doesn't support offline mode identifiers: - cce@rhel7: CCE-80658-8 cce@rhel8: CCE-84027-2 cce@rhel9: CCE-83441-6 diff --git a/linux_os/guide/system/software/integrity/package_prelink_removed/rule.yml b/linux_os/guide/system/software/integrity/package_prelink_removed/rule.yml index 4933a5dadbf..8cbddff9340 100644 --- a/linux_os/guide/system/software/integrity/package_prelink_removed/rule.yml +++ b/linux_os/guide/system/software/integrity/package_prelink_removed/rule.yml @@ -13,9 +13,6 @@ rationale: |- severity: medium -identifiers: - cce@rhel7: CCE-86562-6 - references: cis@ubuntu2004: 1.6.3 cis@ubuntu2204: 1.5.2 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index 6ab661bf51c..0b1d5b8b015 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -36,7 +36,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-27220-3 cce@rhel8: CCE-80675-2 cce@rhel9: CCE-83438-2 cce@sle12: CCE-91483-8 @@ -59,7 +58,6 @@ references: srg: SRG-OS-000445-GPOS-00199 stigid@ol7: OL07-00-020029 stigid@ol8: OL08-00-010359 - stigid@rhel7: RHEL-07-020029 stigid@rhel8: RHEL-08-010359 stigid@sle12: SLES-12-010499 stigid@sle15: SLES-15-010419 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml index fc22aa9a34d..24569ec1f4a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-11.5 srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 - stigid@rhel7: RHEL-07-020030 stigid@sle15: SLES-15-010570 platform: package[aide] diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml index f717ac5d98b..f177c0b3e73 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26952-2 cce@rhel8: CCE-80676-0 cce@rhel9: CCE-83437-4 cce@sle12: CCE-91529-8 @@ -59,7 +58,6 @@ references: pcidss: Req-11.5 srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 - stigid@rhel7: RHEL-07-020030 stigid@sle12: SLES-12-010500 stigid@sle15: SLES-15-010420 stigid@ubuntu2004: UBTU-20-010074 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index c2d7e7a7c82..5b08dd4e7a7 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80374-2 cce@rhel8: CCE-82891-3 cce@rhel9: CCE-90844-2 cce@sle12: CCE-83048-9 @@ -46,7 +45,6 @@ references: srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020040 stigid@ol8: OL08-00-010360 - stigid@rhel7: RHEL-07-020040 stigid@rhel8: RHEL-08-010360 stigid@sle12: SLES-12-010510 stigid@sle15: SLES-15-010570 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml index 6d37a6696de..dd59d33e59c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80377-5 cce@rhel8: CCE-86404-1 cce@rhel9: CCE-88939-4 @@ -35,7 +34,6 @@ references: nist-csf: PR.DS-6,PR.DS-8 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-021620 - stigid@rhel7: RHEL-07-021620 ocil_clause: 'the sha512 option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh index 9f9f96e4dbd..62dd8a51ee1 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh @@ -1,11 +1,11 @@ #!/bin/bash # packages = aide -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_ol cat >/etc/aide.conf </etc/aide.conf </etc/aide.conf </etc/aide.conf </etc/aide.conf </etc/aide.conf <env_reset tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. -{{%- if product in ["rhel7", "rhel8"] %}} +{{%- if 'rhel' in product %}} On {{{ full_name }}}, env_reset is enabled by default {{%- endif %}} This should be enabled by making sure that the env_reset tag exists in @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83819-3 cce@rhel8: CCE-83820-1 cce@sle12: CCE-91492-9 cce@sle15: CCE-91184-2 @@ -37,5 +36,4 @@ template: name: sudo_defaults_option vars: option: env_reset - default_is_enabled@rhel7: "true" default_is_enabled@rhel8: "true" diff --git a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml index 4ef155c07b8..72edee9d89e 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot' description: |- The sudo ignore_dot tag, when specified, will ignore the current directory in the PATH environment variable. -{{%- if product in ["rhel7", "rhel8"] %}} +{{%- if 'rhel' in product %}} On {{{ full_name }}}, env_reset is enabled by default {{%- endif %}} This should be enabled by making sure that the ignore_dot tag exists in @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83809-4 cce@rhel8: CCE-83810-2 cce@sle12: CCE-91493-7 cce@sle15: CCE-91185-9 @@ -37,5 +36,4 @@ template: name: sudo_defaults_option vars: option: ignore_dot - default_is_enabled@rhel7: "true" default_is_enabled@rhel8: "true" diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml index 7b003d106db..798143ca32f 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-83740-1 cce@rhel8: CCE-83747-6 cce@rhel9: CCE-83537-1 cce@sle12: CCE-91494-5 diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml index 1445c701a76..9ecc1702668 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout' description: |- The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. -{{%- if product in ["rhel7", "rhel8"] %}} +{{%- if 'rhel' in product %}} On {{{ full_name }}}, the default passwd_timeout value is 5 minutes. {{% endif %}} The passwd_timeout should be configured by making sure that the @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83963-9 cce@rhel8: CCE-83964-7 cce@sle12: CCE-91495-2 cce@sle15: CCE-91187-5 diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml index c2e2dc2deaa..4a07bb3804f 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83787-2 cce@rhel8: CCE-83790-6 cce@rhel9: CCE-83539-7 cce@sle12: CCE-91496-0 diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml index 10df3eea7d0..e771c7909cf 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure sudo umask is appropriate - sudo umask' description: |- The sudo umask tag, when specified, will be added the to the user's umask in the command environment. -{{%- if product in ["rhel7", "rhel8"] %}} +{{%- if 'rhel' in product %}} On {{{ full_name }}}, the default umask value is 0022. {{% endif %}} The umask should be configured by making sure that the umask={{{ xccdf_value("var_sudo_umask") }}} tag exists in @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83859-9 cce@rhel8: CCE-83860-7 cce@sle12: CCE-91498-6 cce@sle15: CCE-91189-1 diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml index 2f739880bd8..4358ea50cdd 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83797-1 cce@rhel8: CCE-83798-9 cce@rhel9: CCE-83538-9 cce@sle12: CCE-91499-4 diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml index 369266f9fe0..1c155dfbd40 100644 --- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-83600-7 cce@rhel8: CCE-83601-5 cce@rhel9: CCE-83527-2 cce@sle12: CCE-91654-4 diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml index 7ad104dbd6b..71dcfe571ee 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml @@ -21,7 +21,6 @@ warnings: severity: medium identifiers: - cce@rhel7: CCE-83491-1 cce@rhel8: CCE-83982-9 cce@rhel9: CCE-86101-3 cce@sle12: CCE-91500-9 diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml index e580c801c82..2f2a8b90577 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80350-2 cce@rhel8: CCE-82202-3 cce@rhel9: CCE-83544-7 cce@sle12: CCE-83013-3 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@ol7: OL07-00-010350 stigid@ol8: OL08-00-010381 - stigid@rhel7: RHEL-07-010350 stigid@rhel8: RHEL-08-010381 stigid@sle12: SLES-12-010110 stigid@sle15: SLES-15-010450 diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml index 342345a5922..be4a56ce1f0 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-80351-0 cce@rhel8: CCE-82197-5 cce@rhel9: CCE-83536-3 cce@sle12: CCE-83012-5 @@ -37,7 +36,6 @@ references: srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@ol7: OL07-00-010340 stigid@ol8: OL08-00-010380 - stigid@rhel7: RHEL-07-010340 stigid@rhel8: RHEL-08-010380 stigid@sle12: SLES-12-010110 stigid@sle15: SLES-15-010450 diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml index d979bdb8ade..52a076227ba 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82278-3 cce@rhel8: CCE-82279-1 cce@rhel9: CCE-83543-9 cce@sle15: CCE-85673-2 diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index f6e67303e83..71d932f3483 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-85963-7 cce@rhel8: CCE-87838-9 cce@rhel9: CCE-90029-0 cce@sle12: CCE-83231-1 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@ol7: OL07-00-010343 stigid@ol8: OL08-00-010384 - stigid@rhel7: RHEL-07-010343 stigid@rhel8: RHEL-08-010384 stigid@sle12: SLES-12-010113 stigid@sle15: SLES-15-020102 diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_others_executable_permission/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_others_executable_permission/rule.yml index 53dbba9e2ba..15040a89705 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_others_executable_permission/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_others_executable_permission/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83571-0 cce@rhel8: CCE-83574-4 diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 74cab63ec33..2b0b099617a 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83423-4 cce@rhel8: CCE-83425-9 cce@rhel9: CCE-83525-6 cce@sle12: CCE-83229-5 @@ -32,7 +31,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010341 stigid@ol8: OL08-00-010382 - stigid@rhel7: RHEL-07-010341 stigid@rhel8: RHEL-08-010382 stigid@sle12: SLES-12-010111 stigid@sle15: SLES-15-020101 diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml index a32e759eee4..e61e121abec 100644 --- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82349-2 cce@rhel8: CCE-82365-8 cce@rhel9: CCE-83528-0 diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 5b8379c350d..0938731ec1e 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-86277-1 cce@rhel8: CCE-86377-9 cce@rhel9: CCE-86477-7 cce@sle12: CCE-83255-0 @@ -34,7 +33,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010339 stigid@ol8: OL08-00-010379 - stigid@rhel7: RHEL-07-010339 stigid@rhel8: RHEL-08-010379 stigid@sle12: SLES-12-010109 stigid@sle15: SLES-15-020099 diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml index f622b4a1a5d..049ad39d960 100644 --- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml @@ -22,7 +22,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83631-2 cce@rhel8: CCE-83632-0 cce@rhel9: CCE-83545-4 cce@sle12: CCE-91501-7 diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml index 79a97048017..4347da2ce68 100644 --- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml @@ -21,7 +21,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83517-3 cce@rhel8: CCE-83518-1 cce@rhel9: CCE-83524-9 cce@sle12: CCE-91502-5 diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml index 5e5a4320a76..62543d4e27b 100644 --- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83597-5 cce@rhel8: CCE-83598-3 cce@rhel9: CCE-83531-4 cce@sle12: CCE-91503-3 diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml index 862c387647c..e8f86d1aeb9 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -24,7 +24,6 @@ rationale: |- the invoking user for the "root" user password. identifiers: - cce@rhel7: CCE-83421-8 cce@rhel8: CCE-83422-6 cce@rhel9: CCE-83529-8 cce@sle12: CCE-83230-3 @@ -36,7 +35,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010342 stigid@ol8: OL08-00-010383 - stigid@rhel7: RHEL-07-010342 stigid@rhel8: RHEL-08-010383 stigid@sle12: SLES-12-010112 stigid@sle15: SLES-15-020103 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml index 3cfc412ab03..0c9ac75e313 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82920-0 cce@rhel8: CCE-82919-2 cce@rhel9: CCE-83507-4 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml index a8692ed28ca..2dc267c1035 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82927-5 cce@rhel8: CCE-82926-7 cce@rhel9: CCE-83508-2 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml index 54a8d350bfb..d801538ef26 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml @@ -12,9 +12,6 @@ rationale: |- severity: low -identifiers: - cce@rhel7: CCE-82924-2 - references: disa: CCI-000381 srg: SRG-OS-000095-GPOS-00049 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml index 61d482103a5..ba990a14886 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82908-5 cce@rhel8: CCE-82907-7 cce@rhel9: CCE-83512-4 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml index e93f817c4d3..9ae46dc5ac7 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82914-3 cce@rhel8: CCE-82913-5 cce@rhel9: CCE-83513-2 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml index f9ce032490d..2cf7b7774db 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82917-6 cce@rhel8: CCE-82916-8 cce@rhel9: CCE-83514-0 diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml index 73dcdc0abe8..67e71534524 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82911-9 cce@rhel8: CCE-82910-1 cce@rhel9: CCE-83515-7 diff --git a/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml index de4a1433adf..75b91a333e6 100644 --- a/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82990-3 cce@rhel8: CCE-82989-5 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml index ed6c6c2949d..87a545c8526 100644 --- a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82996-0 cce@rhel9: CCE-86612-9 diff --git a/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml index 463754ca7c4..12af635a5ec 100644 --- a/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82940-8 cce@rhel8: CCE-82939-0 {{{ complete_ocil_entry_package(package="geolite2-city") }}} diff --git a/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml index 19fa1931095..26cd1d47c24 100644 --- a/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82937-4 cce@rhel8: CCE-82936-6 {{{ complete_ocil_entry_package(package="geolite2-country") }}} diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml index 801df41d9a7..78f59b1bf14 100644 --- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82944-0 cce@rhel8: CCE-82943-2 cce@rhel9: CCE-83516-5 diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml index 53e7a0a8b7d..48c9740da83 100644 --- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82947-3 cce@rhel8: CCE-82946-5 cce@rhel9: CCE-83519-9 diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml index cc3d2a62c12..41d6e72daae 100644 --- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82930-9 cce@rhel8: CCE-82931-7 cce@rhel9: CCE-83520-7 diff --git a/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml index 7a173372fac..96c27217564 100644 --- a/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82980-4 cce@rhel8: CCE-82979-6 references: diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml index c238c47b70a..4978ab41c92 100644 --- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82219-7 cce@rhel8: CCE-82220-5 cce@rhel9: CCE-83502-5 diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml index 7f198da5db0..77dc26f23ef 100644 --- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82882-2 cce@rhel8: CCE-82883-0 cce@rhel9: CCE-83503-3 diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml index 135b6b3989a..9def78189fc 100644 --- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml @@ -13,7 +13,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82969-7 cce@rhel8: CCE-82968-9 cce@rhel9: CCE-83504-1 diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml index 453d0cd36ab..5c3178b5aec 100644 --- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82951-5 cce@rhel8: CCE-82949-9 cce@rhel9: CCE-83505-8 diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml index e930dc900a5..786e09a109a 100644 --- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82638-8 cce@rhel8: CCE-82316-1 cce@rhel9: CCE-83506-6 diff --git a/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml index 8b2fdaaa90b..c12e9b27688 100644 --- a/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82966-3 cce@rhel8: CCE-82965-5 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml index e14d516e31c..f2b7e2e4177 100644 --- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-82905-1 cce@rhel8: CCE-82904-4 cce@rhel9: CCE-83521-5 diff --git a/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml index 9f055604a3e..4884067bf73 100644 --- a/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml @@ -12,7 +12,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-82957-2 cce@rhel8: CCE-82956-4 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml index 2514c5d7fa5..4498839d1f7 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -27,7 +27,6 @@ rationale: |- severity: low identifiers: - cce@rhel7: CCE-80346-0 cce@rhel8: CCE-82476-3 cce@rhel9: CCE-83458-0 cce@sle12: CCE-83186-7 @@ -45,7 +44,6 @@ references: srg: SRG-OS-000437-GPOS-00194 stigid@ol7: OL07-00-020200 stigid@ol8: OL08-00-010440 - stigid@rhel7: RHEL-07-020200 stigid@rhel8: RHEL-08-010440 stigid@sle12: SLES-12-010570 stigid@sle15: SLES-15-010560 diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index 7cb06aa46da..bb6f1f74ffc 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -30,7 +30,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-26989-4 cce@rhel8: CCE-80790-9 cce@rhel9: CCE-83457-2 cce@sle12: CCE-83068-7 @@ -55,7 +54,6 @@ references: srg: SRG-OS-000366-GPOS-00153 stigid@ol7: OL07-00-020050 stigid@ol8: OL08-00-010370 - stigid@rhel7: RHEL-07-020050 stigid@rhel8: RHEL-08-010370 stigid@sle12: SLES-12-010550 stigid@sle15: SLES-15-010430 diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml index 9aa0633f74e..71b85b67056 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80347-8 cce@rhel8: CCE-80791-7 cce@rhel9: CCE-83463-0 cce@sle12: CCE-91475-4 @@ -40,7 +39,6 @@ references: srg: SRG-OS-000366-GPOS-00153 stigid@ol7: OL07-00-020060 stigid@ol8: OL08-00-010371 - stigid@rhel7: RHEL-07-020060 stigid@rhel8: RHEL-08-010371 ocil_clause: 'there is no process to validate certificates for local packages that is approved by the organization' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml index d46746274d6..729ca66c86f 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-26876-3 cce@rhel8: CCE-80792-5 cce@rhel9: CCE-83464-8 cce@sle12: CCE-83258-4 diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml index 8a9de803fc7..e423564fddf 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml @@ -31,7 +31,6 @@ rationale: |- severity: high identifiers: - cce@rhel7: CCE-80348-6 cce@rhel8: CCE-80793-3 references: diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml index 96cb0ff5b12..13970997c3e 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml @@ -6,9 +6,6 @@ - {{%- if product == "rhel7" %}} - - {{%- endif %}} $ sudo yum update
@@ -38,7 +38,6 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-26895-3 cce@rhel8: CCE-80865-9 cce@rhel9: CCE-84185-8 cce@sle12: CCE-83002-6 @@ -60,7 +59,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020260 stigid@ol8: OL08-00-010010 - stigid@rhel7: RHEL-07-020260 stigid@rhel8: RHEL-08-010010 stigid@sle12: SLES-12-010010 stigid@sle15: SLES-15-010010 diff --git a/products/rhel7/CMakeLists.txt b/products/rhel7/CMakeLists.txt deleted file mode 100644 index 9cae6b4bae7..00000000000 --- a/products/rhel7/CMakeLists.txt +++ /dev/null @@ -1,35 +0,0 @@ -# Sometimes our users will try to do: "cd rhel7; cmake ." That needs to error in a nice way. -if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") - message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -endif() - -set(PRODUCT "rhel7") - -ssg_build_product(${PRODUCT}) - -ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;ospp;pcidss") - -ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-C2S" "${PRODUCT}" "C2S" "nist") -ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist") -ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist") -ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") - -ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-nt28_minimal" "${PRODUCT}" "anssi_nt28_minimal" "anssi") -ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-nt28_enhanced" "${PRODUCT}" "anssi_nt28_enhanced" "anssi") -ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-nt28_intermediary" "${PRODUCT}" "anssi_nt28_intermediary" "anssi") -ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-nt28_high" "${PRODUCT}" "anssi_nt28_high" "anssi") - -ssg_build_html_cce_table(${PRODUCT}) - -ssg_build_html_srgmap_tables(${PRODUCT}) - -ssg_build_html_stig_tables(${PRODUCT}) -ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") -ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui") - -if(SSG_CENTOS_DERIVATIVES_ENABLED) - ssg_build_derivative_product(${PRODUCT} "centos" "centos7") -endif() -if(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED) - ssg_build_derivative_product(${PRODUCT} "sl" "sl7") -endif() diff --git a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg deleted file mode 100644 index e17518546c6..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +++ /dev/null @@ -1,137 +0,0 @@ -# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-01-28 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --append="audit=1 audit_backlog_limig=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4216 --grow -# Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" -# Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -# Despite the ID referencing NT-28, the profile is aligned to BP-028 -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg deleted file mode 100644 index 78d6cebe72a..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg +++ /dev/null @@ -1,141 +0,0 @@ -# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2020-12-10 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4216 --grow -# Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" -# Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -# Despite the ID referencing NT-28, the profile is aligned to BP-028 -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_anssi_nt28_high -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg deleted file mode 100644 index 1b87d400a95..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg +++ /dev/null @@ -1,137 +0,0 @@ -# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-01-28 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4216 --grow -# Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" -# Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -# Despite the ID referencing NT-28, the profile is aligned to BP-028 -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg deleted file mode 100644 index a25d1b29246..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg +++ /dev/null @@ -1,101 +0,0 @@ -# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-01-28 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -autopart - -# Despite the ID referencing NT-28, the profile is aligned to BP-028 -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_anssi_nt28_minimal -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg deleted file mode 100644 index 9f75122e4f8..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +++ /dev/null @@ -1,138 +0,0 @@ -# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-08-12 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10752 --grow -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -logvol swap --name=swap --vgname=VolGroup --size=2016 - - - -# Harden installation with CIS profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_cis -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg deleted file mode 100644 index 0e203349c8a..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg +++ /dev/null @@ -1,137 +0,0 @@ -# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-08-12 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10752 --grow -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -logvol swap --name=swap --vgname=VolGroup --size=2016 - - -# Harden installation with CIS profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_cis_server_l1 -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg deleted file mode 100644 index 480ee026b95..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg +++ /dev/null @@ -1,138 +0,0 @@ -# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-08-12 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10752 --grow -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -logvol swap --name=swap --vgname=VolGroup --size=2016 - - - -# Harden installation with CIS profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg deleted file mode 100644 index 6721863f6b0..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg +++ /dev/null @@ -1,138 +0,0 @@ -# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2021-08-12 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10752 --grow -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -logvol swap --name=swap --vgname=VolGroup --size=2016 - - - -# Harden installation with CIS profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-e8-ks.cfg deleted file mode 100644 index 040ab0516df..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +++ /dev/null @@ -1,116 +0,0 @@ -# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2019-11-13 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -autopart - -# Harden installation with Essential Eight profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_e8 -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg deleted file mode 100644 index edc0b0a4b22..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +++ /dev/null @@ -1,116 +0,0 @@ -# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.1 -# Date: 2020-05-25 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -autopart - -# Harden installation with HIPAA profile -# For more details and configuration options see command %addon org_fedora_oscap in -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_hipaa -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg deleted file mode 100644 index b8e2b2f297a..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg +++ /dev/null @@ -1,134 +0,0 @@ -# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.2 -# Date: 2015-11-19 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_ospp -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg deleted file mode 100644 index 684a6c5beb5..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg +++ /dev/null @@ -1,131 +0,0 @@ -# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server -# Version: 0.0.2 -# Date: 2015-08-02 -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=12288 --grow -# CCE-26557-9: Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26435-8: Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# CCE-26639-5: Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# CCE-26215-4: Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_pci-dss -%end - -# Packages selection (%packages section is required) -%packages - -# Require 'Server with GUI' package environment to be installed -@^Server with GUI - -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-stig-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-stig-ks.cfg deleted file mode 100644 index c5e091cffe2..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-stig-ks.cfg +++ /dev/null @@ -1,120 +0,0 @@ -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=12288 --grow -# CCE-26557-9: Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26435-8: Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# CCE-26639-5: Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# CCE-26215-4: Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -# The full id of DISA STIG profile is used because otherwise there would be -# a conflict with rhelh-stig. -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_stig -%end - -# Packages selection (%packages section is required) -%packages -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg deleted file mode 100644 index cdde4bcbdf7..00000000000 --- a/products/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg +++ /dev/null @@ -1,121 +0,0 @@ -# Install a fresh new system (optional) -install - -# Specify installation method to use for installation -# To use a different one comment out the 'url' one below, update -# the selected choice with proper options & un-comment it -# -# Install from an installation tree on a remote server via FTP or HTTP: -# --url the URL to install from -# -# Example: -# -# url --url=http://192.168.122.1/image -# -# Modify concrete URL in the above example appropriately to reflect the actual -# environment machine is to be installed in -# -# Other possible / supported installation methods: -# * install from the first CD-ROM/DVD drive on the system: -# -# cdrom -# -# * install from a directory of ISO images on a local drive: -# -# harddrive --partition=hdb2 --dir=/tmp/install-tree -# -# * install from provided NFS server: -# -# nfs --server= --dir= [--opts=] -# - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard --vckeymap us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Plaintext password is: password -# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -# encrypted password form for different plaintext password -bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=12288 --grow -# CCE-26557-9: Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26435-8: Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -# CCE-26639-5: Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -# CCE-26215-4: Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" -# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -%addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_stig_gui -%end - -# Packages selection (%packages section is required) -%packages - -@^Server with GUI - -%end - -# Reboot after the installation is complete (optional) -# --eject attempt to eject CD or DVD media before rebooting -reboot --eject diff --git a/products/rhel7/overlays/c2s_support.xml b/products/rhel7/overlays/c2s_support.xml deleted file mode 100644 index f9969362887..00000000000 --- a/products/rhel7/overlays/c2s_support.xml +++ /dev/null @@ -1,57 +0,0 @@ - diff --git a/products/rhel7/overlays/nist800171_support.xml b/products/rhel7/overlays/nist800171_support.xml deleted file mode 100644 index e6fcf404a38..00000000000 --- a/products/rhel7/overlays/nist800171_support.xml +++ /dev/null @@ -1,41 +0,0 @@ - diff --git a/products/rhel7/overlays/nist_support.xml b/products/rhel7/overlays/nist_support.xml deleted file mode 100644 index 2941e94f5cc..00000000000 --- a/products/rhel7/overlays/nist_support.xml +++ /dev/null @@ -1,58 +0,0 @@ - diff --git a/products/rhel7/overlays/srg_support.xml b/products/rhel7/overlays/srg_support.xml deleted file mode 100644 index dd3b509c2c7..00000000000 --- a/products/rhel7/overlays/srg_support.xml +++ /dev/null @@ -1,173 +0,0 @@ - diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml deleted file mode 100644 index 0b6095f7cb1..00000000000 --- a/products/rhel7/product.yml +++ /dev/null @@ -1,73 +0,0 @@ -product: rhel7 -full_name: Red Hat Enterprise Linux 7 -type: platform - -families: - - rhel - - rhel-like - -major_version_ordinal: 7 - -benchmark_id: RHEL-7 -benchmark_root: "../../linux_os/guide" -components_root: "../../components" - -profiles_root: "./profiles" - -pkg_manager: "yum" - -init_system: "systemd" - -# The fingerprints below are retrieved from https://access.redhat.com/security/team/key -pkg_release: "4ae0493b" -pkg_version: "fd431d51" -aux_pkg_release: "45700c69" -aux_pkg_version: "2fa658e0" - -release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" -auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" - -audisp_conf_path: "/etc/audisp" - -groups: - dedicated_ssh_keyowner: - name: ssh_keys - -cpes_root: "../../shared/applicability" -cpes: - - rhel7: - name: "cpe:/o:redhat:enterprise_linux:7" - title: "Red Hat Enterprise Linux 7" - check_id: installed_OS_is_rhel7 - - - rhel7-server: - name: "cpe:/o:redhat:enterprise_linux:7::server" - title: "Red Hat Enterprise Linux 7 Server" - check_id: installed_OS_is_rhel7 - - - rhel7-client: - name: "cpe:/o:redhat:enterprise_linux:7::client" - title: "Red Hat Enterprise Linux 7 Client" - check_id: installed_OS_is_rhel7 - - - rhel7-computenode: - name: "cpe:/o:redhat:enterprise_linux:7::computenode" - title: "Red Hat Enterprise Linux 7 ComputeNode" - check_id: installed_OS_is_rhel7 - - - rhel7-workstation: - name: "cpe:/o:redhat:enterprise_linux:7::workstation" - title: "Red Hat Enterprise Linux 7 Workstation" - check_id: installed_OS_is_rhel7 - -# Mapping of CPE platform to package -platform_package_overrides: - login_defs: "shadow-utils" - openssl-pkcs11: "pam_pkcs11" - -centos_pkg_release: "53a7ff4b" -centos_pkg_version: "f4a80eb5" -centos_major_version: "7" - -reference_uris: - cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/' diff --git a/products/rhel7/profiles/C2S.profile b/products/rhel7/profiles/C2S.profile deleted file mode 100644 index cee45addd75..00000000000 --- a/products/rhel7/profiles/C2S.profile +++ /dev/null @@ -1,273 +0,0 @@ -documentation_complete: true - -metadata: - version: TBD - SMEs: - - yuumasato - -title: 'C2S for Red Hat Enterprise Linux 7' - -description: |- - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - - This baseline was inspired by the Center for Internet Security - (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017. - - For the SCAP Security Guide project to remain in compliance with - CIS' terms and conditions, specifically Restrictions(8), note - there is no representation or claim that the C2S profile will - ensure a system is in compliance or consistency with the CIS - baseline. - -selections: - - kernel_module_cramfs_disabled - - kernel_module_freevxfs_disabled - - kernel_module_jffs2_disabled - - kernel_module_hfs_disabled - - kernel_module_hfsplus_disabled - - kernel_module_squashfs_disabled - - kernel_module_udf_disabled - - partition_for_tmp - - mount_option_tmp_nodev - - mount_option_tmp_nosuid - - mount_option_tmp_noexec - - partition_for_var - - partition_for_var_tmp - - mount_option_var_tmp_nodev - - mount_option_var_tmp_nosuid - - mount_option_var_tmp_noexec - - partition_for_var_log - - partition_for_var_log_audit - - partition_for_home - - mount_option_home_nodev - - mount_option_dev_shm_nodev - - mount_option_dev_shm_nosuid - - mount_option_dev_shm_noexec - - mount_option_nodev_removable_partitions - - mount_option_nosuid_removable_partitions - - mount_option_noexec_removable_partitions - - dir_perms_world_writable_sticky_bits - - service_autofs_disabled - - ensure_gpgcheck_globally_activated - - ensure_redhat_gpgkey_installed - - service_rhnsd_disabled - - package_aide_installed - - aide_periodic_cron_checking - - file_owner_grub2_cfg - - file_groupowner_grub2_cfg - - file_permissions_grub2_cfg - - grub2_password - - grub2_uefi_password - - require_singleuser_auth - - disable_users_coredumps - - sysctl_fs_suid_dumpable - - sysctl_kernel_exec_shield - - sysctl_kernel_randomize_va_space - - disable_prelink - - grub2_enable_selinux - - var_selinux_state=enforcing - - selinux_state - - var_selinux_policy_name=targeted - - selinux_policytype - - package_setroubleshoot_removed - - package_mcstrans_removed - - selinux_confinement_of_daemons - - banner_etc_issue - - login_banner_text=usgcb_default - - dconf_db_up_to_date - - dconf_gnome_login_banner_text - - dconf_gnome_banner_enabled - - security_patches_up_to_date - - service_tftp_disabled - - service_xinetd_disabled - - service_chronyd_or_ntpd_enabled - - package_xorg-x11-server-common_removed - - service_avahi-daemon_disabled - - service_cups_disabled - - service_dhcpd_disabled - - package_openldap-servers_removed - - service_rpcbind_disabled - - service_nfs_disabled - - service_named_disabled - - service_vsftpd_disabled - - service_httpd_disabled - - service_dovecot_disabled - - service_smb_disabled - - service_squid_disabled - - service_snmpd_disabled - - postfix_network_listening_disabled - - package_ypserv_removed - - service_rexec_disabled - - service_rsh_disabled - - service_rlogin_disabled - - service_telnet_disabled - - package_talk-server_removed - - package_ypbind_removed - - package_rsh_removed - - package_talk_removed - - package_telnet_removed - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_all_disable_ipv6 - - package_tcp_wrappers_installed - - kernel_module_dccp_disabled - - kernel_module_sctp_disabled - - var_auditd_max_log_file=6 - - auditd_data_retention_max_log_file - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_max_log_file_action - - service_auditd_enabled - - grub2_audit_argument - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_clock_settime - - audit_rules_time_watch_localtime - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_networkconfig_modification - - audit_rules_mac_modification - - audit_rules_login_events - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_session_events - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_privileged_commands - - audit_rules_media_export - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_sysadmin_actions - - audit_rules_kernel_module_loading - - audit_rules_immutable - - service_rsyslog_enabled - - rsyslog_files_permissions - - rsyslog_remote_loghost - - rsyslog_accept_remote_messages_tcp - - rsyslog_accept_remote_messages_udp - - package_rsyslog_installed - - ensure_logrotate_activated - - service_crond_enabled - - sshd_allow_only_protocol2 - - sshd_set_loglevel_info - - sshd_enable_x11_forwarding - - sshd_set_max_auth_tries - - disable_host_auth - - sshd_disable_root_login - - sshd_disable_empty_passwords - - sshd_do_not_permit_user_env - - sshd_use_approved_ciphers - - sshd_use_approved_macs - - sshd_set_idle_timeout - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - sshd_enable_warning_banner - - var_password_pam_minlen=14 - - accounts_password_pam_minlen - - accounts_password_pam_dcredit - - accounts_password_pam_ucredit - - accounts_password_pam_lcredit - - accounts_password_pam_retry - - var_accounts_passwords_pam_faillock_unlock_time=900 - - var_accounts_passwords_pam_faillock_deny=5 - - accounts_passwords_pam_faillock_unlock_time - - accounts_passwords_pam_faillock_deny - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - - set_password_hashing_algorithm_systemauth - - var_accounts_maximum_age_login_defs=90 - - accounts_maximum_age_login_defs - - var_accounts_minimum_age_login_defs=7 - - accounts_minimum_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_warn_age_login_defs - - var_account_disable_post_pw_expiration=30 - - account_disable_post_pw_expiration - - no_shelllogin_for_systemaccounts - - accounts_umask_etc_bashrc - - accounts_umask_etc_profile - - no_direct_root_logins - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - file_permissions_etc_passwd - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - file_permissions_etc_shadow - - file_owner_etc_group - - file_groupowner_etc_group - - file_permissions_etc_group - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - file_permissions_etc_gshadow - - file_permissions_unauthorized_world_writable - - no_files_unowned_by_user - - file_permissions_ungroupowned - - file_permissions_unauthorized_suid - - file_permissions_unauthorized_sgid - - accounts_no_uid_except_zero - - no_rsh_trust_files - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d diff --git a/products/rhel7/profiles/anssi_nt28_enhanced.profile b/products/rhel7/profiles/anssi_nt28_enhanced.profile deleted file mode 100644 index f80fca7df30..00000000000 --- a/products/rhel7/profiles/anssi_nt28_enhanced.profile +++ /dev/null @@ -1,49 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - marcusburghardt - -title: 'ANSSI-BP-028 (enhanced)' - -description: |- - This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. - ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. - - A copy of the ANSSI-BP-028 can be found at the ANSSI website: - https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - An English version of the ANSSI-BP-028 can also be found at the ANSSI website: - https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system - -selections: - - anssi:all:enhanced - - '!selinux_state' - - '!timer_logrotate_enabled' - - '!logind_session_timeout' - # Following rules once had a prodtype incompatible with the rhel7 product - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!package_dnf-automatic_installed' - - '!grub2_mds_argument' - - '!dnf-automatic_security_updates_only' - - '!cracklib_accounts_password_pam_lcredit' - - '!sysctl_fs_protected_regular' - - '!dnf-automatic_apply_updates' - - '!cracklib_accounts_password_pam_ocredit' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!timer_dnf-automatic_enabled' - - '!chronyd_configure_pool_and_server' - - '!accounts_passwords_pam_tally2' - - '!cracklib_accounts_password_pam_ucredit' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!enable_authselect' - - '!cracklib_accounts_password_pam_minlen' - - '!sysctl_fs_protected_fifos' - - '!cracklib_accounts_password_pam_dcredit' - - '!grub2_page_alloc_shuffle_argument' - - '!sysctl_net_core_bpf_jit_harden' - - '!grub2_pti_argument' - - '!ensure_oracle_gpgkey_installed' diff --git a/products/rhel7/profiles/anssi_nt28_high.profile b/products/rhel7/profiles/anssi_nt28_high.profile deleted file mode 100644 index 95973d8644f..00000000000 --- a/products/rhel7/profiles/anssi_nt28_high.profile +++ /dev/null @@ -1,73 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - marcusburghardt - -title: 'ANSSI-BP-028 (high)' - -description: |- - This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. - ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. - - A copy of the ANSSI-BP-028 can be found at the ANSSI website: - https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - An English version of the ANSSI-BP-028 can also be found at the ANSSI website: - https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system - -selections: - - anssi:all:high - - '!timer_logrotate_enabled' - - '!logind_session_timeout' - # Following rules once had a prodtype incompatible with the rhel7 product - - '!kernel_config_gcc_plugin_structleak_byref_all' - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!kernel_config_legacy_vsyscall_none' - - '!kernel_config_hardened_usercopy_fallback' - - '!aide_periodic_checking_systemd_timer' - - '!kernel_config_gcc_plugin_latent_entropy' - - '!package_dnf-automatic_installed' - - '!grub2_mds_argument' - - '!sysctl_fs_protected_regular' - - '!dnf-automatic_security_updates_only' - - '!kernel_config_bug_on_data_corruption' - - '!cracklib_accounts_password_pam_lcredit' - - '!kernel_config_stackprotector_strong' - - '!dnf-automatic_apply_updates' - - '!cracklib_accounts_password_pam_ocredit' - - '!kernel_config_sched_stack_end_check' - - '!kernel_config_gcc_plugin_stackleak' - - '!kernel_config_legacy_vsyscall_emulate' - - '!kernel_config_arm64_sw_ttbr0_pan' - - '!kernel_config_page_poisoning' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!timer_dnf-automatic_enabled' - - '!chronyd_configure_pool_and_server' - - '!accounts_passwords_pam_tally2' - - '!cracklib_accounts_password_pam_ucredit' - - '!kernel_config_vmap_stack' - - '!kernel_config_legacy_vsyscall_xonly' - - '!kernel_config_gcc_plugin_randstruct' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!kernel_config_stackprotector' - - '!kernel_config_slab_freelist_hardened' - - '!kernel_config_gcc_plugin_structleak' - - '!enable_authselect' - - '!cracklib_accounts_password_pam_minlen' - - '!kernel_config_debug_wx' - - '!sysctl_fs_protected_fifos' - - '!kernel_config_strict_kernel_rwx' - - '!kernel_config_fortify_source' - - '!cracklib_accounts_password_pam_dcredit' - - '!kernel_config_slab_merge_default' - - '!kernel_config_slab_freelist_random' - - '!grub2_page_alloc_shuffle_argument' - - '!sysctl_net_core_bpf_jit_harden' - - '!kernel_config_strict_module_rwx' - - '!kernel_config_modify_ldt_syscall' - - '!grub2_pti_argument' - - '!ensure_oracle_gpgkey_installed' diff --git a/products/rhel7/profiles/anssi_nt28_intermediary.profile b/products/rhel7/profiles/anssi_nt28_intermediary.profile deleted file mode 100644 index 411a14ceaff..00000000000 --- a/products/rhel7/profiles/anssi_nt28_intermediary.profile +++ /dev/null @@ -1,46 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - marcusburghardt - -title: 'ANSSI-BP-028 (intermediary)' - -description: |- - This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. - ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. - - A copy of the ANSSI-BP-028 can be found at the ANSSI website: - https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - An English version of the ANSSI-BP-028 can also be found at the ANSSI website: - https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system - -selections: - - anssi:all:intermediary - - '!logind_session_timeout' - # Following rules once had a prodtype incompatible with the rhel7 product - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!package_dnf-automatic_installed' - - '!grub2_mds_argument' - - '!dnf-automatic_security_updates_only' - - '!cracklib_accounts_password_pam_lcredit' - - '!sysctl_fs_protected_regular' - - '!dnf-automatic_apply_updates' - - '!cracklib_accounts_password_pam_ocredit' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!timer_dnf-automatic_enabled' - - '!accounts_passwords_pam_tally2' - - '!cracklib_accounts_password_pam_ucredit' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!enable_authselect' - - '!cracklib_accounts_password_pam_minlen' - - '!sysctl_fs_protected_fifos' - - '!cracklib_accounts_password_pam_dcredit' - - '!grub2_page_alloc_shuffle_argument' - - '!sysctl_net_core_bpf_jit_harden' - - '!grub2_pti_argument' - - '!ensure_oracle_gpgkey_installed' diff --git a/products/rhel7/profiles/anssi_nt28_minimal.profile b/products/rhel7/profiles/anssi_nt28_minimal.profile deleted file mode 100644 index 5e7e2ea6e85..00000000000 --- a/products/rhel7/profiles/anssi_nt28_minimal.profile +++ /dev/null @@ -1,38 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - marcusburghardt - -title: 'ANSSI-BP-028 (minimal)' - -description: |- - This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. - ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. - - A copy of the ANSSI-BP-028 can be found at the ANSSI website: - https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - An English version of the ANSSI-BP-028 can also be found at the ANSSI website: - https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system - -selections: - - anssi:all:minimal - - '!logind_session_timeout' - # Following rules once had a prodtype incompatible with the rhel7 product - - '!cracklib_accounts_password_pam_minlen' - - '!package_dnf-automatic_installed' - - '!accounts_passwords_pam_tally2_deny_root' - - '!timer_dnf-automatic_enabled' - - '!dnf-automatic_security_updates_only' - - '!accounts_passwords_pam_tally2' - - '!cracklib_accounts_password_pam_ucredit' - - '!cracklib_accounts_password_pam_dcredit' - - '!cracklib_accounts_password_pam_lcredit' - - '!dnf-automatic_apply_updates' - - '!cracklib_accounts_password_pam_ocredit' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!ensure_oracle_gpgkey_installed' - - '!enable_authselect' diff --git a/products/rhel7/profiles/cis.profile b/products/rhel7/profiles/cis.profile deleted file mode 100644 index a479a849af8..00000000000 --- a/products/rhel7/profiles/cis.profile +++ /dev/null @@ -1,28 +0,0 @@ -documentation_complete: true - -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato - -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux - - -title: 'CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server' - -description: |- - This profile defines a baseline that aligns to the "Level 2 - Server" - configuration from the Center for Internet Security® Red Hat Enterprise - Linux 7 Benchmark™, v4.0.0, released 2023-12-21. - - This profile includes Center for Internet Security® - Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - -selections: - - cis_rhel7:all:l2_server - # Following rules once had a prodtype incompatible with the rhel7 product - - '!file_groupowner_at_allow' - - '!audit_rules_execution_setfacl' - - '!file_permissions_at_allow' - - '!file_owner_at_allow' diff --git a/products/rhel7/profiles/cis_server_l1.profile b/products/rhel7/profiles/cis_server_l1.profile deleted file mode 100644 index bc75ae29d97..00000000000 --- a/products/rhel7/profiles/cis_server_l1.profile +++ /dev/null @@ -1,27 +0,0 @@ -documentation_complete: true - -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato - -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux - - -title: 'CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server' - -description: |- - This profile defines a baseline that aligns to the "Level 1 - Server" - configuration from the Center for Internet Security® Red Hat Enterprise - Linux 7 Benchmark™, v4.0.0, released 2023-12-21. - - This profile includes Center for Internet Security® - Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - -selections: - - cis_rhel7:all:l1_server - # Following rules once had a prodtype incompatible with the rhel7 product - - '!file_groupowner_at_allow' - - '!file_permissions_at_allow' - - '!file_owner_at_allow' diff --git a/products/rhel7/profiles/cis_workstation_l1.profile b/products/rhel7/profiles/cis_workstation_l1.profile deleted file mode 100644 index c5382099ec5..00000000000 --- a/products/rhel7/profiles/cis_workstation_l1.profile +++ /dev/null @@ -1,27 +0,0 @@ -documentation_complete: true - -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato - -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux - - -title: 'CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation' - -description: |- - This profile defines a baseline that aligns to the "Level 1 - Workstation" - configuration from the Center for Internet Security® Red Hat Enterprise - Linux 7 Benchmark™, v4.0.0, released 2023-12-21. - - This profile includes Center for Internet Security® - Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - -selections: - - cis_rhel7:all:l1_workstation - # Following rules once had a prodtype incompatible with the rhel7 product - - '!file_groupowner_at_allow' - - '!file_permissions_at_allow' - - '!file_owner_at_allow' diff --git a/products/rhel7/profiles/cis_workstation_l2.profile b/products/rhel7/profiles/cis_workstation_l2.profile deleted file mode 100644 index 758f86574bc..00000000000 --- a/products/rhel7/profiles/cis_workstation_l2.profile +++ /dev/null @@ -1,28 +0,0 @@ -documentation_complete: true - -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato - -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux - - -title: 'CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation' - -description: |- - This profile defines a baseline that aligns to the "Level 2 - Workstation" - configuration from the Center for Internet Security® Red Hat Enterprise - Linux 7 Benchmark™, v4.0.0, released 2023-12-21. - - This profile includes Center for Internet Security® - Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - -selections: - - cis_rhel7:all:l2_workstation - # Following rules once had a prodtype incompatible with the rhel7 product - - '!file_groupowner_at_allow' - - '!audit_rules_execution_setfacl' - - '!file_permissions_at_allow' - - '!file_owner_at_allow' diff --git a/products/rhel7/profiles/cjis.profile b/products/rhel7/profiles/cjis.profile deleted file mode 100644 index ec9e6d1737e..00000000000 --- a/products/rhel7/profiles/cjis.profile +++ /dev/null @@ -1,139 +0,0 @@ -documentation_complete: true - -metadata: - version: 5.4 - SMEs: - - ggbecker - -reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - -title: 'Criminal Justice Information Services (CJIS) Security Policy' - -description: |- - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: - - https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - -selections: - - service_auditd_enabled - - grub2_audit_argument - - auditd_data_retention_num_logs - - auditd_data_retention_max_log_file - - auditd_data_retention_max_log_file_action - - auditd_data_retention_space_left_action - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_action_mail_acct - - auditd_audispd_syslog_plugin_activated - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_clock_settime - - audit_rules_time_watch_localtime - - audit_rules_usergroup_modification - - audit_rules_networkconfig_modification - - file_permissions_var_log_audit - - file_ownership_var_log_audit - - audit_rules_mac_modification - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_login_events - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_session_events - - audit_rules_unsuccessful_file_modification - - audit_rules_privileged_commands - - audit_rules_media_export - - audit_rules_file_deletion_events - - audit_rules_sysadmin_actions - - audit_rules_kernel_module_loading - - audit_rules_immutable - - account_unique_name - - gid_passwd_group_same - - accounts_password_all_shadowed - - no_empty_passwords - - display_login_attempts - - var_accounts_maximum_age_login_defs=90 - - var_password_pam_unix_remember=10 - - var_account_disable_post_pw_expiration=0 - - var_password_pam_minlen=12 - - var_accounts_minimum_age_login_defs=1 - - var_password_pam_difok=6 - - var_accounts_max_concurrent_login_sessions=3 - - account_disable_post_pw_expiration - - accounts_password_pam_minlen - - accounts_minimum_age_login_defs - - accounts_password_pam_difok - - accounts_max_concurrent_login_sessions - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_libuserconf - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - file_permissions_etc_shadow - - file_owner_etc_group - - file_groupowner_etc_group - - file_permissions_etc_group - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - file_permissions_etc_passwd - - file_owner_grub2_cfg - - file_groupowner_grub2_cfg - - var_password_pam_retry=5 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_unlock_time=600 - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_mode_blank - - sshd_allow_only_protocol2 - - sshd_set_idle_timeout - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - disable_host_auth - - sshd_disable_root_login - - sshd_disable_empty_passwords - - sshd_enable_warning_banner - - sshd_do_not_permit_user_env - - sshd_use_approved_ciphers - - kernel_module_dccp_disabled - - kernel_module_sctp_disabled - - service_firewalld_enabled - - set_firewalld_default_zone - - firewalld_sshd_port_enabled - - sshd_idle_timeout_value=30_minutes - - inactivity_timeout_value=30_minutes - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - var_password_pam_ocredit=1 - - var_password_pam_dcredit=1 - - var_password_pam_ucredit=1 - - var_password_pam_lcredit=1 - - package_aide_installed - - disable_prelink - - aide_build_database - - aide_periodic_cron_checking - - rpm_verify_permissions - - rpm_verify_hashes - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled - - security_patches_up_to_date - - kernel_module_bluetooth_disabled diff --git a/products/rhel7/profiles/cui.profile b/products/rhel7/profiles/cui.profile deleted file mode 100644 index fd97e58c734..00000000000 --- a/products/rhel7/profiles/cui.profile +++ /dev/null @@ -1,33 +0,0 @@ -documentation_complete: true - -metadata: - version: TBD - SMEs: - - comps - - stevegrubb - -title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - -description: |- - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in non-federal - information systems and organizations have a well-defined structure that - consists of: - - (i) a basic security requirements section; - (ii) a derived security requirements section. - - The basic security requirements are obtained from FIPS Publication 200, which - provides the high-level and fundamental security requirements for federal - information and information systems. The derived security requirements, which - supplement the basic security requirements, are taken from the security controls - in NIST Special Publication 800-53. - - This profile configures Red Hat Enterprise Linux 7 to the NIST Special - Publication 800-53 controls identified for securing Controlled Unclassified - Information (CUI). - -extends: ospp - -selections: - - inactivity_timeout_value=10_minutes diff --git a/products/rhel7/profiles/default.profile b/products/rhel7/profiles/default.profile deleted file mode 100644 index 6f6f808b109..00000000000 --- a/products/rhel7/profiles/default.profile +++ /dev/null @@ -1,641 +0,0 @@ -documentation_complete: true - -hidden: true - -title: Default Profile for Red Hat Enterprise Linux 7 - -description: |- - This profile contains all the rules that once belonged to the - rhel7 product via 'prodtype'. This profile won't - be rendered into an XCCDF Profile entity, nor it will select any - of these rules by default. The only purpose of this profile - is to keep a rule in the product's XCCDF Benchmark. - -selections: - - sebool_nfsd_anon_write - - sebool_squid_connect_any - - sebool_polipo_connect_all_unreserved - - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write - - mount_option_var_tmp_bind - - package_subscription-manager_installed - - sebool_condor_tcp_network_connect - - rsyslog_encrypt_offload_defaultnetstreamdriver - - mount_option_home_grpquota - - sebool_mpd_enable_homedirs - - auditd_data_retention_max_log_file_action_stig - - install_mcafee_antivirus - - httpd_configure_documentroot - - journald_forward_to_syslog - - sebool_logwatch_can_network_connect_mail - - audit_rules_unsuccessful_file_modification_openat_rule_order - - sebool_mpd_use_nfs - - sebool_virt_use_sanlock - - disable_anacron - - kernel_module_vfat_disabled - - sebool_puppetagent_manage_all_files - - sebool_staff_use_svirt - - audit_rules_successful_file_modification_lsetxattr - - sebool_daemons_enable_cluster_mode - - file_groupowner_var_log - - file_permissions_etc_hosts_deny - - package_krb5-workstation_removed - - passwd_system-auth_substack - - package_samba-common_installed - - ntpd_configure_restrictions - - sebool_httpd_enable_cgi - - accounts_password_pam_pwquality_password_auth - - xwindows_remove_packages - - package_iptables-services_removed - - sebool_httpd_can_network_memcache - - sebool_git_system_use_nfs - - sudoers_no_root_target - - enable_ldap_client - - sebool_httpd_can_connect_zabbix - - sebool_samba_portmapper - - audit_rules_etc_shadow_open - - sebool_httpd_graceful_shutdown - - httpd_limit_java_files - - sebool_ftpd_use_fusefs - - sebool_unconfined_chrome_sandbox_transition - - avahi_prevent_port_sharing - - package_ntpdate_removed - - sebool_gitosis_can_sendmail - - set_loopback_traffic - - configure_firewalld_rate_limiting - - firewalld_sshd_disabled - - audit_rules_unsuccessful_file_modification_renameat - - sebool_pcp_read_generic_logs - - package_abrt-plugin-rhtsupport_removed - - sebool_httpd_run_ipa - - package_abrt-addon-ccpp_removed - - file_groupowner_var_log_syslog - - httpd_configure_perl_taint - - service_netfs_disabled - - sebool_dbadm_manage_user_files - - sebool_smbd_anon_write - - service_ypserv_disabled - - sebool_nagios_run_sudo - - sebool_dbadm_exec_content - - package_ntp_installed - - kernel_module_can_disabled - - package_policycoreutils_installed - - package_cron_installed - - audit_rules_successful_file_modification_unlinkat - - httpd_entrust_passwords - - httpd_proxy_support - - package_audit-audispd-plugins_installed - - service_rpcidmapd_disabled - - package_docker_installed - - sebool_httpd_serve_cobbler_files - - kernel_module_firewire-core_disabled - - httpd_configure_log_format - - sebool_container_connect_any - - sebool_sge_domain_can_network_connect - - package_openscap-scanner_installed - - file_permissions_home_dirs - - audit_rules_privileged_commands_newgidmap - - sebool_virt_use_xserver - - no_netrc_files - - sebool_mozilla_plugin_use_spice - - postfix_client_configure_mail_alias_postmaster - - package_libcap-ng-utils_installed - - package_nftables_removed - - sebool_tmpreaper_use_nfs - - sebool_httpd_can_connect_ldap - - ftp_restrict_to_anon - - sysctl_net_ipv4_conf_all_forwarding - - sebool_glance_use_fusefs - - snmpd_use_newer_protocol - - sebool_httpd_dontaudit_search_dirs - - sebool_named_tcp_bind_http_port - - sebool_wine_mmap_zero_ignore - - sebool_cluster_use_execmem - - audit_rules_privileged_commands_usernetctl - - kernel_module_atm_disabled - - sebool_ftpd_use_nfs - - sebool_httpd_use_fusefs - - service_iptables_enabled - - sebool_tor_bind_all_unreserved_ports - - httpd_configure_banner_page - - chronyd_server_directive - - httpd_install_mod_ssl - - sebool_httpd_use_openstack - - sebool_icecast_use_any_tcp_ports - - sebool_virt_sandbox_use_all_caps - - audit_rules_unsuccessful_file_modification_rename - - service_cgconfig_disabled - - sebool_openshift_use_nfs - - package_binutils_installed - - sebool_mailman_use_fusefs - - sebool_nfs_export_all_rw - - service_sysstat_disabled - - sebool_httpd_dbus_avahi - - service_smartd_disabled - - dir_perms_etc_httpd_conf - - logwatch_configured_splithosts - - mount_option_smb_client_signing - - audit_rules_successful_file_modification_open_o_trunc_write - - httpd_no_compilers_in_prod - - sebool_mplayer_execstack - - sebool_virt_sandbox_use_mknod - - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order - - sebool_fcron_crond - - sebool_httpd_read_user_content - - sebool_samba_domain_controller - - service_sshd_disabled - - sebool_cobbler_anon_write - - audit_rules_successful_file_modification_openat_o_trunc_write - - audit_rules_successful_file_modification_removexattr - - sebool_httpd_mod_auth_pam - - audit_rules_successful_file_modification_fchownat - - package_nfs-utils_removed - - sebool_pppd_for_user - - sebool_rsync_export_all_ro - - audit_rules_successful_file_modification_open_o_creat - - sebool_authlogin_radius - - httpd_configure_remote_session_encryption - - sebool_swift_can_network - - dhcp_server_disable_ddns - - package_abrt-addon-kerneloops_removed - - sudo_restrict_others_executable_permission - - sshd_disable_pubkey_auth - - sebool_tor_can_network_relay - - postfix_server_banner - - package_usbguard_installed - - nfs_fixed_statd_port - - audit_privileged_commands_reboot - - sebool_virt_use_samba - - install_mcafee_hbss_pa - - sebool_spamassassin_can_network - - package_syslogng_installed - - sebool_virt_sandbox_use_sys_admin - - httpd_ldap_support - - network_disable_zeroconf - - sebool_irssi_use_full_network - - sebool_polipo_use_cifs - - sebool_samba_load_libgfapi - - package_rpcbind_removed - - sebool_samba_run_unconfined - - sebool_webadm_manage_user_files - - cups_disable_browsing - - service_certmonger_disabled - - sebool_zoneminder_run_sudo - - sebool_ftpd_anon_write - - sebool_rsync_anon_write - - install_mcafee_hbss_accm - - mount_option_proc_hidepid - - kerberos_disable_no_keytab - - sebool_nfs_export_all_ro - - audit_rules_unsuccessful_file_modification_chown - - sebool_cups_execmem - - httpd_enable_loglevel - - sebool_httpd_execmem - - sebool_httpd_sys_script_anon_write - - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write - - sebool_ftpd_use_cifs - - audit_rules_etc_shadow_open_by_handle_at - - sebool_mysql_connect_any - - audit_rules_privileged_commands_pt_chown - - sebool_httpd_can_sendmail - - sebool_prosody_bind_http_port - - sebool_httpd_use_sasl - - set_nftables_base_chain - - sebool_tftp_home_dir - - sebool_gssd_read_tmp - - kernel_module_uvcvideo_disabled - - sebool_squid_use_tproxy - - sebool_httpd_ssi_exec - - sebool_use_lpd_server - - httpd_restrict_root_directory - - audit_rules_successful_file_modification_open_by_handle_at_o_creat - - grub2_nousb_argument - - account_use_centralized_automated_auth - - httpd_configure_valid_server_cert - - sebool_postgresql_selinux_transmit_client_label - - sebool_smartmon_3ware - - dhcp_server_configure_logging - - audit_rules_unsuccessful_file_modification_setxattr - - sebool_global_ssp - - sebool_virt_rw_qemu_ga_data - - package_inetutils-telnetd_removed - - audit_rules_successful_file_modification_openat - - audit_rules_unsuccessful_file_modification_fchmod - - file_permissions_httpd_server_conf_files - - sebool_httpd_use_gpg - - sysconfig_networking_bootproto_ifcfg - - sebool_spamd_enable_home_dirs - - avahi_disable_publishing - - audit_rules_successful_file_modification_fchmod - - dns_server_disable_dynamic_updates - - sebool_fenced_can_network_connect - - sebool_virt_use_nfs - - sebool_lsmd_plugin_connect_any - - account_passwords_pam_faillock_dir - - httpd_configure_script_permissions - - sebool_authlogin_yubikey - - sebool_authlogin_nsswitch_use_ldap - - package_iprutils_removed - - sebool_httpd_run_preupgrade - - sebool_httpd_use_cifs - - sebool_telepathy_tcp_connect_generic_network_ports - - httpd_cache_support - - dir_perms_var_log_httpd - - nfs_fixed_lockd_udp_port - - sebool_entropyd_use_audio - - sebool_httpd_enable_ftp_server - - sebool_postgresql_selinux_users_ddl - - http_configure_log_file_ownership - - kernel_module_ipv6_option_disabled - - sebool_cobbler_use_nfs - - sebool_mozilla_plugin_can_network_connect - - accounts_password_pam_pwquality_system_auth - - httpd_restrict_web_directory - - sebool_ftpd_full_access - - sebool_mcelog_foreground - - audit_rules_successful_file_modification_renameat - - package_prelink_removed - - sebool_git_cgi_use_cifs - - sebool_virt_sandbox_use_netlink - - smb_server_disable_root - - service_nfslock_disabled - - auditd_data_retention_admin_space_left_percentage - - dir_ownership_library_dirs - - sebool_openvpn_run_unconfined - - package_sssd_installed - - sebool_gluster_anon_write - - audit_rules_successful_file_modification_open - - sebool_nscd_use_shm - - sebool_ksmtuned_use_cifs - - service_messagebus_disabled - - sebool_nagios_run_pnp4nagios - - sebool_haproxy_connect_any - - audit_rules_etc_shadow_openat - - dns_server_authenticate_zone_transfers - - sebool_pppd_can_insmod - - sebool_glance_api_can_network - - httpd_serversignature_off - - sebool_mozilla_plugin_use_bluejeans - - sebool_mozilla_read_content - - restrict_nfs_clients_to_privileged_ports - - file_permissions_var_log_messages - - sebool_virt_use_usb - - sebool_virt_use_execmem - - sebool_virt_read_qemu_ga_data - - sebool_gluster_export_all_ro - - sebool_mcelog_server - - package_nss-tools_installed - - sebool_sge_use_nfs - - service_saslauthd_disabled - - sebool_mcelog_client - - sebool_rsync_client - - sebool_privoxy_connect_any - - service_irqbalance_enabled - - postfix_client_configure_relayhost - - audit_privileged_commands_init - - sebool_httpd_builtin_scripting - - iptables_sshd_disabled - - grub2_ipv6_disable_argument - - etc_system_fips_exists - - docker_selinux_enabled - - sebool_varnishd_connect_any - - ensure_gpgcheck_repo_metadata - - httpd_servertokens_prod - - service_postfix_enabled - - package_openssh-server_removed - - timer_logrotate_enabled - - httpd_limit_available_methods - - sebool_httpd_can_connect_mythtv - - audit_rules_successful_file_modification_lchown - - sebool_tftp_anon_write - - dhcp_server_deny_decline - - sebool_cobbler_can_network_connect - - sebool_samba_export_all_ro - - file_owner_var_log - - service_cron_enabled - - httpd_webdav - - httpd_configure_max_keepalive_requests - - set_nftables_loopback_traffic - - audit_rules_successful_file_modification_unlink - - wireless_disable_in_bios - - no_all_squash_exports - - sebool_use_samba_home_dirs - - audit_rules_etc_gshadow_openat - - service_ufw_enabled - - package_psacct_installed - - network_disable_ddns_interfaces - - nfs_no_anonymous - - dir_permissions_binary_dirs - - mount_option_boot_nodev - - sebool_xend_run_blktap - - package_nis_removed - - httpd_server_side_includes - - package_gnutls-utils_installed - - audit_rules_etc_passwd_open - - dhcp_client_restrict_options - - sebool_openvpn_can_network_connect - - httpd_server_configuration_display - - account_emergency_expire_date - - sebool_unconfined_mozilla_plugin_transition - - audit_rules_unsuccessful_file_modification_lremovexattr - - file_permissions_var_log_syslog - - sebool_git_cgi_enable_homedirs - - dovecot_configure_ssl_cert - - audit_rules_etc_passwd_open_by_handle_at - - audit_rules_privileged_commands_at - - sebool_virt_use_fusefs - - avahi_ip_only - - service_ntp_enabled - - file_owner_var_log_syslog - - service_ip6tables_enabled - - sebool_logging_syslogd_run_nagios_plugins - - sebool_mozilla_plugin_use_gps - - partition_for_web_content - - file_groupowner_etc_hosts_allow - - audit_rules_unsuccessful_file_modification_open_o_trunc_write - - package_tar_installed - - httpd_private_server_on_separate_subnet - - use_root_squashing_all_exports - - sebool_ftpd_connect_all_unreserved - - configure_user_data_backups - - dir_ownership_binary_dirs - - nfs_fixed_lockd_tcp_port - - sebool_mcelog_exec_scripts - - httpd_configure_tls - - sysctl_net_ipv4_tcp_invalid_ratelimit - - service_nftables_enabled - - sysctl_net_ipv6_conf_default_disable_ipv6 - - sebool_collectd_tcp_network_connect - - sebool_httpd_enable_homedirs - - sebool_httpd_unified - - audit_rules_privileged_commands_newuidmap - - ldap_client_tls_cacertpath - - sebool_zabbix_can_network - - sshd_rekey_limit - - audit_rules_unsuccessful_file_modification_chmod - - fapolicyd_prevent_home_folder_access - - no_legacy_plus_entries_etc_passwd - - sebool_sanlock_use_nfs - - httpd_restrict_critical_directories - - sebool_racoon_read_shadow - - configure_etc_hosts_deny - - audit_rules_successful_file_modification_fsetxattr - - service_sssd_enabled - - service_psacct_enabled - - audit_rules_successful_file_modification_fremovexattr - - httpd_remove_backups - - package_krb5-server_removed - - service_netconsole_disabled - - file_permissions_httpd_server_conf_d_files - - audit_rules_successful_file_modification_rename - - sebool_antivirus_use_jit - - file_permissions_var_log - - sebool_ksmtuned_use_nfs - - audit_rules_successful_file_modification_setxattr - - grub2_systemd_debug-shell_argument_absent - - sebool_polipo_session_bind_all_unreserved_ports - - sebool_webadm_read_user_files - - auditd_data_disk_full_action_stig - - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - - audit_rules_unsuccessful_file_modification_fsetxattr - - avahi_restrict_published_information - - sebool_git_session_users - - sebool_exim_manage_user_files - - sshd_enable_gssapi_auth - - httpd_digest_authentication - - sebool_minidlna_read_generic_user_content - - audit_rules_etc_group_openat - - umask_for_daemons - - sebool_httpd_can_network_connect_cobbler - - service_mdmonitor_disabled - - audit_rules_unsuccessful_file_modification_fchownat - - sebool_openvpn_enable_homedirs - - bios_disable_usb_boot - - service_docker_enabled - - file_owner_etc_hosts_allow - - audit_rules_unsuccessful_file_modification_open_o_creat - - kernel_config_ipv6 - - service_rpcgssd_disabled - - audit_rules_successful_file_modification_chown - - audit_rules_successful_file_modification_fchmodat - - sebool_dhcpc_exec_iptables - - grub2_disable_recovery - - httpd_public_resources_not_shared - - audit_rules_unsuccessful_file_modification_removexattr - - sebool_telepathy_connect_all_ports - - httpd_enable_error_logging - - httpd_disable_mime_types - - sebool_postgresql_can_rsync - - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - httpd_install_mod_security - - package_telnetd_removed - - use_pam_wheel_for_su - - sebool_httpd_setrlimit - - service_cockpit_disabled - - no_legacy_plus_entries_etc_group - - mount_option_boot_noauto - - nfs_fixed_mountd_port - - sebool_git_cgi_use_nfs - - httpd_remove_robots_file - - sebool_git_system_use_cifs - - sebool_httpd_use_nfs - - sshd_enable_pubkey_auth - - audit_rules_unsuccessful_file_modification_lchown - - audit_rules_successful_file_modification_fchown - - docker_storage_configured - - sssd_ldap_configure_tls_ca_dir - - sebool_git_system_enable_homedirs - - sebool_httpd_can_check_spam - - package_gssproxy_removed - - sebool_mpd_use_cifs - - sebool_xen_use_nfs - - sebool_samba_enable_home_dirs - - service_syslogng_enabled - - sebool_sanlock_use_fusefs - - account_passwords_pam_faillock_audit - - httpd_require_client_certs - - sebool_zebra_write_config - - httpd_disable_content_symlinks - - package_sssd-ipa_installed - - sebool_irc_use_any_tcp_ports - - audit_rules_etc_gshadow_open_by_handle_at - - sebool_samba_export_all_rw - - httpd_anonymous_content_sharing - - audit_rules_successful_file_modification_truncate - - dhcp_server_minimize_served_info - - file_owner_etc_hosts_deny - - package_abrt-cli_removed - - file_permissions_httpd_server_modules_files - - httpd_mime_magic - - audit_rules_successful_file_modification_open_by_handle_at - - sebool_tmpreaper_use_samba - - sebool_samba_create_home_dirs - - httpd_configure_firewall - - file_groupowner_var_log_messages - - audit_rules_successful_file_modification_chmod - - sebool_nis_enabled - - ftp_log_transactions - - sebool_cvs_read_shadow - - audit_rules_unsuccessful_file_modification_lsetxattr - - sebool_xend_run_qemu - - auditd_data_disk_error_action_stig - - file_owner_var_log_messages - - sebool_virt_use_comm - - mcafee_antivirus_definitions_updated - - network_ipv6_default_gateway - - sebool_httpd_can_network_connect - - sebool_virt_sandbox_use_audit - - sshd_disable_root_password_login - - harden_sshd_crypto_policy - - package_telnetd-ssl_removed - - file_groupowner_etc_hosts_deny - - service_chronyd_enabled - - network_ipv6_disable_interfaces - - package_vsftpd_installed - - sebool_puppetmaster_use_db - - audit_rules_successful_file_modification_ftruncate - - package_libreport-plugin-logger_removed - - package_rng-tools_installed - - logwatch_configured_hostlimit - - dns_server_disable_zone_transfers - - no_insecure_locks_exports - - dconf_gnome_disable_power_settings - - package_abrt-plugin-logger_removed - - sebool_mozilla_plugin_bind_unreserved_ports - - package_MFEhiplsm_installed - - sebool_fenced_can_ssh - - sebool_glance_use_execmem - - audit_rules_etc_passwd_openat - - sebool_rsync_full_access - - httpd_server_activity_status - - snmpd_no_rwusers - - httpd_ignore_htaccess_files - - mount_option_home_usrquota - - service_quota_nld_disabled - - file_permissions_etc_hosts_allow - - sebool_ftpd_use_passive_mode - - sebool_cluster_can_network_connect - - sebool_cdrecord_read_content - - sebool_antivirus_can_scan_system - - rsyslog_logging_configured - - package_scap-security-guide_installed - - sebool_httpd_manage_ipa - - audit_rules_dac_modification_umount - - sebool_samba_share_nfs - - package_389-ds-base_removed - - audit_rules_etc_group_open - - ftp_disable_uploads - - set_iptables_default_rule_forward - - httpd_enable_log_config - - audit_rules_unsuccessful_file_modification_openat_o_creat - - dovecot_enable_ssl - - sebool_awstats_purge_apache_log_files - - ftp_home_partition - - httpd_url_correction - - sebool_httpd_tmp_exec - - package_abrt-plugin-sosreport_removed - - package_postfix_installed - - sebool_sanlock_use_samba - - audit_privileged_commands_poweroff - - audit_rules_successful_file_modification_creat - - package_avahi-autoipd_removed - - sebool_httpd_can_connect_ftp - - sebool_httpd_anon_write - - root_path_default - - sebool_dhcpd_use_ldap - - httpd_antivirus_scan_uploads - - coreos_enable_selinux_kernel_argument - - sebool_postgresql_selinux_unconfined_dbadm - - kernel_disable_entropy_contribution_for_solid_state_drives - - sebool_use_fusefs_home_dirs - - audit_rules_successful_file_modification_lremovexattr - - sebool_virt_transition_userdomain - - sudo_add_passwd_timeout - - package_freeradius_removed - - avahi_check_ttl - - audit_privileged_commands_shutdown - - dir_permissions_library_dirs - - sebool_httpd_tty_comm - - sebool_dbadm_read_user_files - - service_rpcsvcgssd_disabled - - audit_rules_unsuccessful_file_modification_unlink - - httpd_enable_system_logging - - httpd_encrypt_file_uploads - - sebool_exim_read_user_files - - ftp_limit_users - - sebool_zarafa_setrlimit - - sebool_kdumpgui_run_bootloader - - service_portreserve_disabled - - sebool_httpd_verify_dns - - set_nftables_table - - sebool_polipo_use_nfs - - sebool_exim_can_connect_db - - package_libreport-plugin-rhtsupport_removed - - sebool_unprivuser_use_svirt - - sebool_httpd_run_stickshift - - httpd_nipr_accredited_dmz - - set_ipv6_loopback_traffic - - package_systemd-journal-remote_installed - - ftp_configure_firewall - - ntpd_run_as_ntp_user - - httpd_mod_rewrite - - network_ipv6_static_address - - package_libreswan_installed - - audit_rules_unsuccessful_file_modification_fremovexattr - - sebool_httpd_dbus_sssd - - package_geolite2-country_removed - - audit_rules_etc_group_open_by_handle_at - - httpd_disable_anonymous_ftp_access - - sebool_use_nfs_home_dirs - - dhcp_server_deny_bootp - - sebool_conman_can_network - - sebool_logrotate_use_nfs - - audit_rules_unsuccessful_file_modification_fchown - - sebool_httpd_can_network_connect_db - - sebool_gluster_export_all_rw - - package_vim_installed - - sebool_named_write_master_zones - - sebool_postfix_local_write_mail_spool - - httpd_cgi_support - - bios_assign_password - - service_cpupower_disabled - - sebool_virt_use_rawip - - sebool_pcp_bind_all_unreserved_ports - - install_mcafee_cma_rt - - no_root_webbrowsing - - audit_rules_etc_gshadow_open - - sebool_saslauthd_read_shadow - - service_rhsmcertd_disabled - - audit_rules_successful_file_modification_openat_o_creat - - sebool_zoneminder_anon_write - - require_smb_client_signing - - sebool_neutron_can_network - - dovecot_disable_plaintext_auth - - sebool_ftpd_connect_db - - sebool_httpd_mod_auth_ntlm_winbind - - sebool_samba_share_fusefs - - harden_ssh_client_crypto_policy - - sebool_cobbler_use_cifs - - sebool_httpd_can_network_relay - - package_geolite2-city_removed - - set_iptables_default_rule - - sebool_piranha_lvs_can_network_connect - - package_abrt-addon-python_removed - - cups_disable_printserver - - package_tuned_removed - - no_legacy_plus_entries_etc_shadow - - accounts_passwords_pam_faillock_audit - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - service_acpid_disabled - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - sebool_git_session_bind_all_unreserved_ports - - sebool_boinc_execmem - - service_nails_enabled - - audit_rules_unsuccessful_file_modification_unlinkat - - disable_logwatch_for_logserver - - audit_rules_unsuccessful_file_modification_open_rule_order - - service_cgred_disabled - - ftp_present_banner - - audit_rules_unsuccessful_file_modification_fchmodat - - sebool_polipo_session_users - - sebool_cluster_manage_all_files - - dovecot_configure_ssl_key diff --git a/products/rhel7/profiles/e8.profile b/products/rhel7/profiles/e8.profile deleted file mode 100644 index 0efd5501995..00000000000 --- a/products/rhel7/profiles/e8.profile +++ /dev/null @@ -1,143 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - shaneboulden - - tjbutt58 - -reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers - -title: 'Australian Cyber Security Centre (ACSC) Essential Eight' - -description: |- - This profile contains configuration checks for Red Hat Enterprise Linux 7 - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - - A copy of the Essential Eight in Linux Environments guide can be found at the - ACSC website: - - https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers - -selections: - - ### Remove obsolete packages - - package_talk_removed - - package_talk-server_removed - - package_xinetd_removed - - service_xinetd_disabled - - package_ypbind_removed - - package_telnet_removed - - service_telnet_disabled - - package_telnet-server_removed - - package_rsh_removed - - package_rsh-server_removed - - service_zebra_disabled - - package_quagga_removed - - service_avahi-daemon_disabled - - package_squid_removed - - service_squid_disabled - - ### Software update - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_globally_activated - - security_patches_up_to_date - - ### System security settings - - sysctl_kernel_randomize_va_space - - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_yama_ptrace_scope - - ### SELinux - - var_selinux_state=enforcing - - selinux_state - - var_selinux_policy_name=targeted - - selinux_policytype - - ### Filesystem integrity - - rpm_verify_hashes - - rpm_verify_permissions - - rpm_verify_ownership - - file_permissions_unauthorized_sgid - - file_permissions_unauthorized_suid - - file_permissions_unauthorized_world_writable - - dir_perms_world_writable_sticky_bits - - file_permissions_library_dirs - - file_ownership_binary_dirs - - file_permissions_binary_dirs - - file_ownership_library_dirs - - ### Passwords - - no_empty_passwords - - ### Partitioning - - mount_option_dev_shm_nodev - - mount_option_dev_shm_nosuid - - mount_option_dev_shm_noexec - - ### Network - - package_firewalld_installed - - service_firewalld_enabled - - network_sniffer_disabled - - ### Admin privileges - - accounts_no_uid_except_zero - - sudo_remove_nopasswd - - sudo_remove_no_authenticate - - sudo_require_authentication - - ### Audit - - package_rsyslog_installed - - service_rsyslog_enabled - - service_auditd_enabled - - var_auditd_flush=incremental_async - - auditd_data_retention_flush - - auditd_local_events - - auditd_write_logs - - auditd_log_format - - auditd_freq - - auditd_name_format - - audit_rules_login_events_tallylog - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_time_adjtimex - - audit_rules_time_clock_settime - - audit_rules_time_watch_localtime - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_execution_restorecon - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_execution_setfiles - - audit_rules_execution_seunshare - - audit_rules_sysadmin_actions - - audit_rules_networkconfig_modification - - audit_rules_usergroup_modification - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_kernel_module_loading - - ### Secure access - - sshd_disable_root_login - - sshd_disable_gssapi_auth - - sshd_use_strong_ciphers - - sshd_print_last_log - - sshd_do_not_permit_user_env - - sshd_disable_rhosts_rsa - - sshd_disable_rhosts - - sshd_allow_only_protocol2 - - sshd_set_loglevel_info - - sshd_disable_empty_passwords - - sshd_disable_user_known_hosts - - sshd_enable_strictmodes - - sshd_use_strong_macs - - ### Backup - - package_rear_installed diff --git a/products/rhel7/profiles/hipaa.profile b/products/rhel7/profiles/hipaa.profile deleted file mode 100644 index c1270716202..00000000000 --- a/products/rhel7/profiles/hipaa.profile +++ /dev/null @@ -1,170 +0,0 @@ -documentation_complete: True - -metadata: - SMEs: - - jjaswanson4 - -reference: https://www.hhs.gov/hipaa/for-professionals/index.html - -title: 'Health Insurance Portability and Accountability Act (HIPAA)' - -description: |- - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate - administrative, physical and technical safeguards to ensure the - confidentiality, integrity, and security of electronic protected health - information. - - This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security - Rule identified for securing of electronic protected health information. - Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - -selections: - - grub2_password - - grub2_uefi_password - - file_groupowner_grub2_cfg - - file_owner_grub2_cfg - - grub2_disable_interactive_boot - - no_direct_root_logins - - no_empty_passwords - - require_singleuser_auth - - restrict_serial_port_logins - - securetty_root_login_console_only - - service_debug-shell_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction - - dconf_db_up_to_date - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - sshd_disable_empty_passwords - - sshd_disable_root_login - - libreswan_approved_tunnels - - no_rsh_trust_files - - package_rsh_removed - - package_rsh-server_removed - - package_talk_removed - - package_talk-server_removed - - package_telnet_removed - - package_telnet-server_removed - - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed - - service_crond_enabled - - service_rexec_disabled - - service_rlogin_disabled - - service_rsh_disabled - - service_telnet_disabled - - service_xinetd_disabled - - service_ypbind_disabled - - service_zebra_disabled - - use_kerberos_security_all_exports - - disable_host_auth - - sshd_allow_only_protocol2 - - sshd_disable_compression - - sshd_disable_gssapi_auth - - sshd_disable_kerb_auth - - sshd_disable_rhosts_rsa - - sshd_do_not_permit_user_env - - sshd_enable_strictmodes - - sshd_enable_warning_banner - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - encrypt_partitions - - sshd_use_approved_ciphers - - sshd_use_approved_macs - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing - - grub2_enable_selinux - - sebool_selinuxuser_execheap - - sebool_selinuxuser_execmod - - sebool_selinuxuser_execstack - - selinux_confinement_of_daemons - - selinux_policytype - - selinux_state - - service_kdump_disabled - - sysctl_fs_suid_dumpable - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_exec_shield - - sysctl_kernel_randomize_va_space - - rpm_verify_hashes - - rpm_verify_permissions - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_local_packages - - grub2_audit_argument - - service_auditd_enabled - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_su - - audit_rules_immutable - - kernel_module_usb-storage_disabled - - service_autofs_disabled - - auditd_audispd_syslog_plugin_activated - - rsyslog_remote_loghost - - auditd_data_retention_flush - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_execution_chcon - - audit_rules_execution_restorecon - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlinkat - - audit_rules_file_deletion_events_unlink - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_mac_modification - - audit_rules_media_export - - audit_rules_networkconfig_modification - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper - - audit_rules_session_events - - audit_rules_sysadmin_actions - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - - audit_rules_time_adjtimex - - audit_rules_time_clock_settime - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_watch_localtime - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow diff --git a/products/rhel7/profiles/ncp.profile b/products/rhel7/profiles/ncp.profile deleted file mode 100644 index d7a5b8b5ecd..00000000000 --- a/products/rhel7/profiles/ncp.profile +++ /dev/null @@ -1,352 +0,0 @@ -documentation_complete: true - -metadata: - SMEs: - - yuumasato - -title: 'NIST National Checklist Program Security Guide' - -description: |- - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. - Development partners and sponsors include the U.S. National Institute - of Standards and Technology (NIST), U.S. Department of Defense, - the National Security Agency, and Red Hat. - - This baseline implements configuration requirements from the following - sources: - - - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - - NIST Controlled Unclassified Information (NIST 800-171) - - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - - U.S. Government Configuration Baseline (USGCB) - - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - - DISA Operating System Security Requirements Guide (OS SRG) - - For any differing configuration requirements, e.g. password lengths, the stricter - security setting was chosen. Security Requirement Traceability Guides (RTMs) and - sample System Security Configuration Guides are provided via the - scap-security-guide-docs package. - - This profile reflects U.S. Government consensus content and is developed through - the OpenSCAP/SCAP Security Guide initiative, championed by the National - Security Agency. Except for differences in formatting to accommodate - publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide - content as minor divergences, such as bugfixes, work through the - consensus and release processes. - -extends: ospp - -selections: - - installed_OS_is_vendor_supported - - login_banner_text=usgcb_default - - inactivity_timeout_value=15_minutes - - var_password_pam_minlen=15 - - accounts_password_all_shadowed - - grub2_password - - no_direct_root_logins - - restrict_serial_port_logins - - var_accounts_fail_delay=4 - - var_password_pam_retry=3 - - accounts_logon_fail_delay - - accounts_password_pam_retry - - accounts_passwords_pam_faillock_deny_root - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - set_firewalld_default_zone - - firewalld_sshd_port_enabled - - sysctl_net_ipv6_conf_all_disable_ipv6 - - sysctl_net_ipv6_conf_all_forwarding - - auditd_audispd_syslog_plugin_activated - - rsyslog_remote_loghost - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - var_auditd_flush=data - - var_auditd_max_log_file_action=rotate - - var_auditd_max_log_file=6 - - var_auditd_num_logs=5 - - var_auditd_space_left_action=email - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_max_log_file_action - - auditd_data_retention_max_log_file - - auditd_data_retention_num_logs - - auditd_data_retention_space_left_action - - file_permissions_var_log_audit - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_execution_chcon - - audit_rules_execution_restorecon - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events - - audit_rules_file_deletion_events_unlinkat - - audit_rules_file_deletion_events_unlink - - audit_rules_immutable - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_mac_modification - - audit_rules_media_export - - audit_rules_networkconfig_modification - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper - - audit_rules_session_events - - audit_rules_sysadmin_actions - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - - audit_rules_time_adjtimex - - audit_rules_time_clock_settime - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_watch_localtime - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - rsyslog_cron_logging - - rsyslog_nolisten - - var_multiple_time_servers=rhel - - chronyd_or_ntpd_specify_remote_server - - chronyd_or_ntpd_specify_multiple_servers - - service_chronyd_or_ntpd_enabled - - security_patches_up_to_date - - wireless_disable_interfaces - - service_bluetooth_disabled - - libreswan_approved_tunnels - - no_rsh_trust_files - - package_rsh_removed - - package_rsh-server_removed - - package_talk_removed - - package_talk-server_removed - - package_telnet_removed - - package_telnet-server_removed - - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed - - service_crond_enabled - - service_rexec_disabled - - service_rlogin_disabled - - service_rsh_disabled - - sshd_required=yes - - service_sshd_enabled - - service_telnet_disabled - - service_xinetd_disabled - - service_ypbind_disabled - - service_zebra_disabled - - use_kerberos_security_all_exports - - sshd_allow_only_protocol2 - - sshd_disable_compression - - sshd_do_not_permit_user_env - - sshd_use_priv_separation - - var_accounts_user_umask=077 - - accounts_no_uid_except_zero - - accounts_umask_etc_login_defs - - dir_perms_world_writable_system_owned - - grub2_enable_selinux - - file_groupowner_grub2_cfg - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_ownership_var_log_audit - - file_permissions_grub2_cfg - - file_permissions_sshd_private_key - - file_permissions_sshd_pub_key - - file_permissions_ungroupowned - - file_owner_grub2_cfg - - gid_passwd_group_same - - mount_option_krb_sec_remote_filesystems - - mount_option_nodev_remote_filesystems - - mount_option_nodev_removable_partitions - - mount_option_noexec_removable_partitions - - mount_option_nosuid_remote_filesystems - - mount_option_nosuid_removable_partitions - - no_files_unowned_by_user - - rpm_verify_permissions - - sebool_abrt_anon_write - - sebool_abrt_handle_event - - sebool_abrt_upload_watch_anon_write - - sebool_auditadm_exec_content - - sebool_cron_can_relabel - - sebool_cron_system_cronjob_use_shares - - sebool_cron_userdomain_transition - - sebool_daemons_dump_core - - sebool_daemons_use_tcp_wrapper - - sebool_daemons_use_tty - - sebool_deny_execmem - - sebool_deny_ptrace - - sebool_domain_fd_use - - sebool_domain_kernel_load_modules - - sebool_fips_mode - - sebool_gpg_web_anon_write - - sebool_guest_exec_content - - sebool_kerberos_enabled - - sebool_logadm_exec_content - - sebool_logging_syslogd_can_sendmail - - sebool_logging_syslogd_use_tty - - sebool_login_console_enabled - - sebool_mmap_low_allowed - - sebool_mock_enable_homedirs - - sebool_mount_anyfile - - sebool_polyinstantiation_enabled - - sebool_secadm_exec_content - - sebool_secure_mode - - sebool_secure_mode_insmod - - sebool_secure_mode_policyload - - sebool_selinuxuser_direct_dri_enabled - - sebool_selinuxuser_execheap - - sebool_selinuxuser_execmod - - sebool_selinuxuser_execstack - - sebool_selinuxuser_mysql_connect_enabled - - sebool_selinuxuser_ping - - sebool_selinuxuser_postgresql_connect_enabled - - sebool_selinuxuser_rw_noexattrfile - - sebool_selinuxuser_share_music - - sebool_selinuxuser_tcp_server - - sebool_selinuxuser_udp_server - - sebool_selinuxuser_use_ssh_chroot - - sebool_ssh_chroot_rw_homedirs - - sebool_ssh_keysign - - sebool_ssh_sysadm_login - - sebool_staff_exec_content - - sebool_sysadm_exec_content - - sebool_unconfined_login - - sebool_use_ecryptfs_home_dirs - - sebool_user_exec_content - - sebool_xdm_bind_vnc_tcp_port - - sebool_xdm_exec_bootloader - - sebool_xdm_sysadm_login - - sebool_xdm_write_home - - sebool_xguest_connect_network - - sebool_xguest_exec_content - - sebool_xguest_mount_media - - sebool_xguest_use_bluetooth - - sebool_xserver_clients_write_xshm - - sebool_xserver_execmem - - sebool_xserver_object_manager - - selinux_all_devicefiles_labeled - - selinux_confinement_of_daemons - - aide_build_database - - aide_periodic_cron_checking - - aide_scan_notification - - aide_use_fips_hashes - - aide_verify_acls - - aide_verify_ext_attributes - - disable_prelink - - install_antivirus - - install_hids - - ldap_client_start_tls - - package_aide_installed - - rpm_verify_hashes - - install_PAE_kernel_on_x86-32 - - sysctl_fs_suid_dumpable - - sysctl_kernel_exec_shield - - sysctl_kernel_randomize_va_space - - var_account_disable_post_pw_expiration=35 - - var_accounts_maximum_age_login_defs=60 - - var_accounts_minimum_age_login_defs=7 - - var_accounts_password_warn_age_login_defs=7 - - var_accounts_tmout=10_min - - var_password_pam_difok=8 - - var_password_pam_minclass=4 - - account_disable_post_pw_expiration - - accounts_maximum_age_login_defs - - accounts_minimum_age_login_defs - - accounts_password_pam_minclass - - accounts_password_warn_age_login_defs - - accounts_tmout - - banner_etc_issue - - display_login_attempts - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_systemauth - - package_opensc_installed - - var_smartcard_drivers=cac - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers - - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - sssd_ssh_known_hosts_timeout - - encrypt_partitions - - network_sniffer_disabled - - network_ipv6_disable_rpc - - network_ipv6_privacy_extensions - - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - dconf_gnome_disable_ctrlaltdel_reboot - - dconf_gnome_disable_geolocation - - dconf_gnome_disable_restart_shutdown - - dconf_gnome_disable_thumbnailers - - dconf_gnome_disable_user_admin - - dconf_gnome_disable_user_list - - dconf_gnome_disable_wifi_create - - dconf_gnome_disable_wifi_notification - - dconf_gnome_enable_smartcard_auth - - dconf_gnome_login_banner_text - - dconf_gnome_login_retries - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_mode_blank - - dconf_gnome_screensaver_user_info - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - - enable_dconf_user_profile - - sshd_enable_x11_forwarding - - gnome_gdm_disable_automatic_login - - gnome_gdm_disable_guest_login - - clean_components_post_updating - - kernel_module_freevxfs_disabled - - kernel_module_hfs_disabled - - kernel_module_hfsplus_disabled - - kernel_module_jffs2_disabled - - kernel_module_squashfs_disabled diff --git a/products/rhel7/profiles/ospp.profile b/products/rhel7/profiles/ospp.profile deleted file mode 100644 index b354d2e3aa3..00000000000 --- a/products/rhel7/profiles/ospp.profile +++ /dev/null @@ -1,311 +0,0 @@ -documentation_complete: true - -metadata: - version: 4.2.1 - SMEs: - - comps - - stevegrubb - -reference: https://www.niap-ccevs.org/Profile/PP.cfm - -title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1' - -description: |- - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2.1). - - This configuration profile is consistent with CNSSI-1253, which requires - U.S. National Security Systems to adhere to certain configuration - parameters. Accordingly, this configuration profile is suitable for - use in U.S. National Security Systems. - -selections: - - ####################################################### - ### GENERAL REQUIREMENTS - ### Things needed to meet OSPP functional requirements. - ####################################################### - - ### Partitioning - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - ### Services - # sshd - - sshd_disable_root_login - - sshd_enable_strictmodes - - disable_host_auth - - sshd_disable_empty_passwords - - sshd_disable_kerb_auth - - sshd_disable_gssapi_auth - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - sshd_enable_warning_banner - - sshd_disable_rhosts_rsa - - sshd_use_approved_ciphers - - sshd_use_approved_macs - - # Time Server - - ### Network Settings - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies - - ### systemd - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction - - service_debug-shell_disabled - - service_kdump_disabled - - service_autofs_disabled - - ### umask - - accounts_umask_etc_profile - - accounts_umask_etc_bashrc - - accounts_umask_etc_csh_cshrc - - ### Software update - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ### Passwords - - var_password_pam_difok=4 - - accounts_password_pam_difok - - var_password_pam_maxrepeat=3 - - accounts_password_pam_maxrepeat - - var_password_pam_maxclassrepeat=4 - - accounts_password_pam_maxclassrepeat - - ### Kernel Config - ## Boot prompt - - package_dracut-fips_installed - - grub2_audit_argument - - grub2_audit_backlog_limit_argument - - grub2_slub_debug_argument - - var_slub_debug_options=P - - grub2_page_poison_argument - - grub2_vsyscall_argument - - ## Security Settings - - sysctl_kernel_kptr_restrict - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_yama_ptrace_scope - - ## File System Settings - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - ### Audit - - service_auditd_enabled - - var_auditd_flush=incremental_async - - auditd_data_retention_flush - - ### Misc Audit Configuration - ### (not required in OSPP) - - ### Module Disabled - - kernel_module_usb-storage_disabled - - kernel_module_cramfs_disabled - - kernel_module_bluetooth_disabled - - kernel_module_dccp_disabled - - kernel_module_sctp_disabled - - ### rpcbind - - service_rpcbind_disabled - - ### Install Required Packages - - ### Remove Prohibited Packages - - package_abrt_removed - - ### Login - - disable_users_coredumps - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - securetty_root_login_console_only - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - - ### SELinux Configuration - - ### Application Whitelisting (RHEL 8) - - ### Configure SSSD - - ### Configure USBGuard - - ### Enable / Configure FIPS - - grub2_enable_fips_mode - - ####################################################### - ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE - ### FOR GENERAL PURPOSE OPERATING SYSTEMS - ### ANNEX RELEASE 1 - ### FOR PROTECTION PROFILE VERSIONS 4.2 - ### - ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/ - ####################################################### - - ## Configure Minimum Password Length to 12 Characters - ## IA-5 (1)(a) / FMT_MOF_EXT.1 - - var_password_pam_minlen=12 - - accounts_password_pam_minlen - - ## Require at Least 1 Special Character in Password - ## IA-5(1)(a) / FMT_MOF_EXT.1 - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit - - ## Require at Least 1 Numeric Character in Password - ## IA-5(1)(a) / FMT_MOF_EXT.1 - - var_password_pam_dcredit=1 - - accounts_password_pam_dcredit - - ## Require at Least 1 Uppercase Character in Password - ## IA-5(1)(a) / FMT_MOF_EXT.1 - - var_password_pam_ucredit=1 - - accounts_password_pam_ucredit - - ## Require at Least 1 Lowercase Character in Password - ## IA-5(1)(a) / FMT_MOF_EXT.1 - - var_password_pam_lcredit=1 - - accounts_password_pam_lcredit - - ## Enable Screen Lock - ## FMT_MOF_EXT.1 - - package_screen_installed - - ## Set Screen Lock Timeout Period to 30 Minutes or Less - ## AC-11(a) / FMT_MOF_EXT.1 - - sshd_idle_timeout_value=10_minutes - - sshd_set_idle_timeout - - ## Disable Unauthenticated Login (such as Guest Accounts) - ## FIA_UAU.1 - - require_singleuser_auth - - grub2_disable_interactive_boot - - grub2_uefi_password - - no_empty_passwords - - ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes - ## AC-7 / FIA_AFL.1 - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_fail_interval=900 - - accounts_passwords_pam_faillock_interval - - var_accounts_passwords_pam_faillock_unlock_time=never - - accounts_passwords_pam_faillock_unlock_time - - ## Enable Host-Based Firewall - ## SC-7(12) / FMT_MOF_EXT.1 - - service_firewalld_enabled - - ## Configure Name/Addres of Remote Management Server - ## From Which to Receive Config Settings - ## CM-3(3) / FMT_MOF_EXT.1 - - ## Configure the System to Offload Audit Records to a Log - ## Server - ## AU-4(1) / FAU_GEN.1.1.c - - ## Set Logon Warning Banner - ## AC-8(a) / FMT_MOF_EXT.1 - - ## Audit All Logons (Success/Failure) and Logoffs (Success) - ## CNSSI 1253 Value or DoD-Specific Values: - ## (1) Logons (Success/Failure) - ## (2) Logoffs (Success) - ## AU-2(a) / FAU_GEN.1.1.c - - ## Audit File and Object Events (Unsuccessful) - ## CNSSI 1253 Value or DoD-specific Values: - ## (1) Create (Success/Failure) - ## (2) Access (Success/Failure) - ## (3) Delete (Sucess/Failure) - ## (4) Modify (Success/Failure) - ## (5) Permission Modification (Sucess/Failure) - ## (6) Ownership Modification (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - ## - ## - ## (1) Create (Success/Failure) - ## (open with O_CREAT) - ## (2) Access (Success/Failure) - ## (3) Delete (Success/Failure) - ## (4) Modify (Success/Failure) - ## (5) Permission Modification (Success/Failure) - ## (6) Ownership Modification (Success/Failure) - - ## Audit User and Group Management Events (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## (1) User add, delete, modify, disable, enable (Success/Failure) - ## (2) Group/Role add, delete, modify (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - ## - ## Generic User and Group Management Events (Success/Failure) - ## Selection of setuid programs that relate to - ## user accounts. - ## - ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure) - ## - ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure) - ## - ## Audit Privilege or Role Escalation Events (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Privilege/Role escalation (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit All Audit and Log Data Accesses (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Audit and log data access (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Cryptographic Verification of Software (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, - ## etc) initialization (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Kernel Module Loading and Unloading Events (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - - audit_rules_for_ospp - - - ### SELinux Configuration - - # Ensure SELinux is Enforcing - - var_selinux_state=enforcing - - selinux_state - - # Configure SELinux Policy - - var_selinux_policy_name=targeted - - selinux_policytype diff --git a/products/rhel7/profiles/pci-dss.profile b/products/rhel7/profiles/pci-dss.profile deleted file mode 100644 index e260aee86f2..00000000000 --- a/products/rhel7/profiles/pci-dss.profile +++ /dev/null @@ -1,57 +0,0 @@ -documentation_complete: true - -metadata: - version: '4.0' - SMEs: - - marcusburghardt - - mab879 - - vojtapolasek - -reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - -title: 'PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7' - -description: |- - Payment Card Industry - Data Security Standard (PCI-DSS) is a set of - security standards designed to ensure the secure handling of payment card - data, with the goal of preventing data breaches and protecting sensitive - financial information. - - This profile ensures Red Hat Enterprise Linux 7 is configured in alignment - with PCI-DSS v4.0 requirements. - -selections: - - pcidss_4:all - # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. - # https://github.com/ComplianceAsCode/content/issues/11285 - - '!rpm_verify_permissions' - # these rules do not apply to RHEL but they have to keep the prodtype for historical reasons - - '!package_audit-audispd-plugins_installed' - - '!service_ntp_enabled' - - '!set_ipv6_loopback_traffic' - - '!set_loopback_traffic' - - '!timer_logrotate_enabled' - # Following rules once had a prodtype incompatible with the rhel7 product - - '!sysctl_kernel_core_pattern' - - '!configure_crypto_policy' - - '!mask_nonessential_services' - - '!aide_periodic_checking_systemd_timer' - - '!file_permissions_at_allow' - - '!firewalld_loopback_traffic_restricted' - - '!cracklib_accounts_password_pam_lcredit' - - '!file_owner_at_allow' - - '!ensure_firewall_rules_for_open_ports' - - '!cracklib_accounts_password_pam_retry' - - '!permissions_local_var_log' - - '!accounts_passwords_pam_tally2' - - '!ensure_suse_gpgkey_installed' - - '!gnome_gdm_disable_unattended_automatic_login' - - '!file_groupowner_at_allow' - - '!configure_ssh_crypto_policy' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!enable_authselect' - - '!cracklib_accounts_password_pam_minlen' - - '!set_password_hashing_algorithm_commonauth' - - '!cracklib_accounts_password_pam_dcredit' - - '!firewalld_loopback_traffic_trusted' - - '!service_timesyncd_enabled' diff --git a/products/rhel7/profiles/rhelh-stig.profile b/products/rhel7/profiles/rhelh-stig.profile deleted file mode 100644 index 13c60bce659..00000000000 --- a/products/rhel7/profiles/rhelh-stig.profile +++ /dev/null @@ -1,437 +0,0 @@ -documentation_complete: true - -title: 'RHV hardening based on STIG for Red Hat Enterprise Linux 7' - -description: |- - This profile contains configuration checks for - Red Hat Virtualization based on the - the DISA STIG for Red Hat Enterprise Linux 7. - -selections: - - installed_OS_is_FIPS_certified - - login_banner_text=dod_banners - - inactivity_timeout_value=15_minutes - - var_password_pam_minlen=15 - - accounts_password_pam_minlen - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit - - var_password_pam_dcredit=1 - - accounts_password_pam_dcredit - - var_password_pam_ucredit=1 - - accounts_password_pam_ucredit - - var_password_pam_lcredit=1 - - accounts_password_pam_lcredit - - package_screen_installed - - sshd_idle_timeout_value=10_minutes - - sshd_set_idle_timeout - - accounts_password_all_shadowed - - grub2_password - - grub2_uefi_password - - grub2_disable_interactive_boot - - no_direct_root_logins - - no_empty_passwords - - require_singleuser_auth - - restrict_serial_port_logins - - securetty_root_login_console_only - - service_debug-shell_disabled - - sshd_disable_empty_passwords - - sshd_disable_root_login - - var_accounts_fail_delay=4 - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never - - var_password_pam_retry=3 - - accounts_logon_fail_delay - - accounts_password_pam_retry - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - service_firewalld_enabled - - set_firewalld_default_zone - - firewalld_sshd_port_enabled - - sysctl_net_ipv6_conf_all_disable_ipv6 - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_source_route - - auditd_audispd_syslog_plugin_activated - - rsyslog_remote_loghost - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - var_auditd_flush=data - - var_auditd_max_log_file_action=rotate - - var_auditd_max_log_file=6 - - var_auditd_num_logs=5 - - var_auditd_space_left_action=email - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_max_log_file_action - - auditd_data_retention_max_log_file - - auditd_data_retention_num_logs - - auditd_data_retention_space_left_action - - file_permissions_var_log_audit - - auditd_data_retention_flush - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_execution_chcon - - audit_rules_execution_restorecon - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events - - audit_rules_file_deletion_events_unlinkat - - audit_rules_file_deletion_events_unlink - - audit_rules_immutable - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_mac_modification - - audit_rules_media_export - - audit_rules_networkconfig_modification - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper - - audit_rules_session_events - - audit_rules_sysadmin_actions - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - - audit_rules_time_adjtimex - - audit_rules_time_clock_settime - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_watch_localtime - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - grub2_audit_argument - - rsyslog_cron_logging - - rsyslog_nolisten - - service_auditd_enabled - - var_multiple_time_servers=rhel - - chronyd_or_ntpd_specify_remote_server - - chronyd_or_ntpd_specify_multiple_servers - - service_chronyd_or_ntpd_enabled - - security_patches_up_to_date - - wireless_disable_interfaces - - kernel_module_bluetooth_disabled - - service_bluetooth_disabled - - kernel_module_usb-storage_disabled - - service_autofs_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction - - libreswan_approved_tunnels - - no_rsh_trust_files - - package_rsh_removed - - package_rsh-server_removed - - package_talk_removed - - package_talk-server_removed - - package_telnet_removed - - package_telnet-server_removed - - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed - - service_crond_enabled - - service_rexec_disabled - - service_rlogin_disabled - - service_rsh_disabled - - sshd_required=yes - - service_sshd_enabled - - service_telnet_disabled - - service_xinetd_disabled - - service_ypbind_disabled - - service_zebra_disabled - - use_kerberos_security_all_exports - - disable_host_auth - - sshd_allow_only_protocol2 - - sshd_disable_compression - - sshd_disable_gssapi_auth - - sshd_disable_kerb_auth - - sshd_disable_rhosts_rsa - - sshd_do_not_permit_user_env - - sshd_enable_strictmodes - - sshd_enable_warning_banner - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - sshd_use_approved_ciphers - - sshd_use_approved_macs - - sshd_use_priv_separation - - var_accounts_user_umask=077 - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing - - accounts_no_uid_except_zero - - accounts_umask_etc_login_defs - - dir_perms_world_writable_system_owned - - grub2_enable_selinux - - file_groupowner_grub2_cfg - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_ownership_var_log_audit - - file_permissions_grub2_cfg - - file_permissions_sshd_private_key - - file_permissions_sshd_pub_key - - file_permissions_ungroupowned - - file_owner_grub2_cfg - - gid_passwd_group_same - - mount_option_nodev_remote_filesystems - - mount_option_nodev_removable_partitions - - mount_option_noexec_removable_partitions - - mount_option_nosuid_remote_filesystems - - mount_option_nosuid_removable_partitions - - no_files_unowned_by_user - - rpm_verify_permissions - - sebool_abrt_anon_write - - sebool_abrt_handle_event - - sebool_abrt_upload_watch_anon_write - - sebool_auditadm_exec_content - - sebool_cron_can_relabel - - sebool_cron_system_cronjob_use_shares - - sebool_cron_userdomain_transition - - sebool_daemons_dump_core - - sebool_daemons_use_tcp_wrapper - - sebool_daemons_use_tty - - sebool_deny_execmem - - sebool_deny_ptrace - - sebool_domain_fd_use - - sebool_domain_kernel_load_modules - - sebool_fips_mode - - sebool_gpg_web_anon_write - - sebool_guest_exec_content - - sebool_kerberos_enabled - - sebool_logadm_exec_content - - sebool_logging_syslogd_can_sendmail - - sebool_logging_syslogd_use_tty - - sebool_login_console_enabled - - sebool_mmap_low_allowed - - sebool_mock_enable_homedirs - - sebool_mount_anyfile - - sebool_polyinstantiation_enabled - - sebool_secadm_exec_content - - sebool_secure_mode - - sebool_secure_mode_insmod - - sebool_secure_mode_policyload - - sebool_selinuxuser_direct_dri_enabled - - sebool_selinuxuser_execheap - - sebool_selinuxuser_execmod - - sebool_selinuxuser_execstack - - sebool_selinuxuser_mysql_connect_enabled - - sebool_selinuxuser_ping - - sebool_selinuxuser_postgresql_connect_enabled - - sebool_selinuxuser_rw_noexattrfile - - sebool_selinuxuser_share_music - - sebool_selinuxuser_tcp_server - - sebool_selinuxuser_udp_server - - sebool_selinuxuser_use_ssh_chroot - - sebool_ssh_chroot_rw_homedirs - - sebool_ssh_keysign - - sebool_ssh_sysadm_login - - sebool_staff_exec_content - - sebool_sysadm_exec_content - - sebool_unconfined_login - - sebool_use_ecryptfs_home_dirs - - sebool_user_exec_content - - sebool_xdm_bind_vnc_tcp_port - - sebool_xdm_exec_bootloader - - sebool_xdm_sysadm_login - - sebool_xdm_write_home - - sebool_xguest_connect_network - - sebool_xguest_exec_content - - sebool_xguest_mount_media - - sebool_xguest_use_bluetooth - - sebool_xserver_clients_write_xshm - - sebool_xserver_execmem - - sebool_xserver_object_manager - - selinux_all_devicefiles_labeled - - selinux_confinement_of_daemons - - selinux_policytype - - selinux_state - - aide_build_database - - aide_periodic_cron_checking - - aide_scan_notification - - aide_use_fips_hashes - - aide_verify_acls - - aide_verify_ext_attributes - - disable_prelink - - grub2_enable_fips_mode - - install_antivirus - - install_hids - - ldap_client_start_tls - - package_aide_installed - - package_dracut-fips_installed - - rpm_verify_hashes - - install_PAE_kernel_on_x86-32 - - service_kdump_disabled - - sysctl_fs_suid_dumpable - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_exec_shield - - sysctl_kernel_randomize_va_space - - var_account_disable_post_pw_expiration=35 - - var_accounts_max_concurrent_login_sessions=10 - - var_accounts_maximum_age_login_defs=60 - - var_accounts_minimum_age_login_defs=7 - - var_accounts_password_warn_age_login_defs=7 - - var_accounts_tmout=10_min - - var_password_pam_difok=8 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_minclass=4 - - var_password_pam_unix_remember=5 - - account_disable_post_pw_expiration - - accounts_max_concurrent_login_sessions - - accounts_maximum_age_login_defs - - accounts_minimum_age_login_defs - - accounts_password_pam_difok - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_minclass - - accounts_password_pam_unix_remember - - accounts_password_warn_age_login_defs - - accounts_tmout - - banner_etc_issue - - display_login_attempts - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_systemauth - - package_opensc_installed - - var_smartcard_drivers=cac - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers - - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - sssd_memcache_timeout - - sssd_offline_cred_expiration - - sssd_ssh_known_hosts_timeout - - encrypt_partitions - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_local_packages - - network_sniffer_disabled - - network_ipv6_disable_rpc - - network_ipv6_privacy_extensions - - sshd_enable_x11_forwarding - - clean_components_post_updating - - kernel_module_cramfs_disabled - - kernel_module_dccp_disabled - - kernel_module_freevxfs_disabled - - kernel_module_hfs_disabled - - kernel_module_hfsplus_disabled - - kernel_module_jffs2_disabled - - kernel_module_sctp_disabled - - var_sssd_ssh_known_hosts_timeout=5_minutes - - var_password_pam_maxrepeat=3 - - var_removable_partition=dev_cdrom - - var_time_service_set_maxpoll=system_default - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - rpm_verify_ownership - - accounts_password_pam_maxrepeat - - accounts_password_set_min_life_existing - - accounts_password_set_max_life_existing - - sudo_vdsm_nopasswd - - sudo_remove_no_authenticate - - selinux_user_login_roles - - accounts_user_interactive_home_directory_defined - - accounts_have_homedir_login_defs - - accounts_user_interactive_home_directory_exists - - file_permissions_home_directories - - file_ownership_home_directories - - file_groupownership_home_directories - - accounts_users_home_files_ownership - - accounts_users_home_files_groupownership - - accounts_users_home_files_permissions - - accounts_user_dot_user_ownership - - accounts_user_dot_group_ownership - - file_permission_user_init_files - - accounts_user_home_paths_only - - accounts_user_dot_no_world_writable_programs - - mount_option_home_nosuid - - accounts_umask_interactive_users - - partition_for_home - - partition_for_var - - partition_for_var_log_audit - - partition_for_tmp - - grub2_no_removeable_media - - auditd_audispd_configure_remote_server - - auditd_audispd_encrypt_sent_records - - auditd_audispd_disk_full_action - - auditd_data_retention_space_left - - audit_rules_execution_setfiles - - audit_rules_kernel_module_loading_finit - - configure_firewalld_ports - - package_openssh-server_installed - - sshd_print_last_log - - chronyd_or_ntpd_set_maxpoll - - no_user_host_based_files - - no_host_based_files - - network_configure_name_resolution - - package_vsftpd_removed - - package_tftp-server_removed - - tftpd_uses_secure_mode - - package_xorg-x11-server-common_removed - - sssd_enable_pam_services - - mount_option_noexec_remote_filesystems - - auditd_audispd_network_failure_action - - package_gdm_removed diff --git a/products/rhel7/profiles/rhelh-vpp.profile b/products/rhel7/profiles/rhelh-vpp.profile deleted file mode 100644 index 6d59c0c3d5a..00000000000 --- a/products/rhel7/profiles/rhelh-vpp.profile +++ /dev/null @@ -1,216 +0,0 @@ -documentation_complete: true - -title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization' - -description: |- - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. - Development partners and sponsors include the U.S. National Institute - of Standards and Technology (NIST), U.S. Department of Defense, - the National Security Agency, and Red Hat. - - This baseline implements configuration requirements from the following - sources: - - - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - - U.S. Government Configuration Baseline (USGCB) - - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0) - - For any differing configuration requirements, e.g. password lengths, the stricter - security setting was chosen. Security Requirement Traceability Guides (RTMs) and - sample System Security Configuration Guides are provided via the - scap-security-guide-docs package. - - This profile reflects U.S. Government consensus content and is developed through - the ComplianceAsCode project, championed by the National - Security Agency. Except for differences in formatting to accommodate - publishing processes, this profile mirrors ComplianceAsCode - content as minor divergences, such as bugfixes, work through the - consensus and release processes. - -selections: - - installed_OS_is_vendor_supported - - # AC-2 - - service_auditd_enabled - - # AC-3 - - selinux_state - - grub2_enable_selinux - - selinux_policytype - - grub2_password - - grub2_uefi_password - - grub2_disable_interactive_boot - - # AC-7(a) - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_fail_interval=900 - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_deny_root - - # AC-7(b) - - var_accounts_passwords_pam_faillock_unlock_time=never - - accounts_passwords_pam_faillock_unlock_time - - # AC-8 - - banner_etc_issue - - # AC-17(a) - - file_permissions_sshd_private_key - - file_permissions_sshd_pub_key - - disable_host_auth - - sshd_allow_only_protocol2 - - sshd_disable_compression - - sshd_disable_gssapi_auth - - sshd_disable_kerb_auth - - sshd_disable_rhosts_rsa - - sshd_disable_root_login - - sshd_do_not_permit_user_env - - sshd_enable_strictmodes - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_set_idle_timeout - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - sshd_set_loglevel_info - - sshd_use_approved_ciphers - - sshd_use_approved_macs - - sshd_use_priv_separation - - sshd_disable_empty_passwords - - # AU -5(b) - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - - # AU-9 - - file_permissions_var_log_audit - - file_ownership_var_log_audit - - rpm_verify_permissions - - rpm_verify_ownership - - rpm_verify_hashes - - # AU-12 - - grub2_audit_argument - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_privileged_commands - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_execution_chcon - - audit_rules_execution_setfiles - - audit_rules_login_events_tallylog - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_login_events_lastlog - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_sysadmin_actions - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_sudoedit - - audit_rules_media_export - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_delete - - audit_rules_usergroup_modification_passwd - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - # CM-11 - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - clean_components_post_updating - - # IA-2 - - require_singleuser_auth - - accounts_no_uid_except_zero - - no_direct_root_logins - - no_password_auth_for_systemaccounts - - restrict_serial_port_logins - - securetty_root_login_console_only - - # IA-2 (1) - - package_opensc_installed - - var_smartcard_drivers=cac - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers - - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - # IA-4 - - account_disable_post_pw_expiration - - # IA-5 (1) - - accounts_password_pam_dcredit - - accounts_password_pam_difok - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - - accounts_password_pam_minlen - - accounts_password_pam_ocredit - - accounts_password_pam_ucredit - - accounts_password_pam_lcredit - - accounts_maximum_age_login_defs - - accounts_minimum_age_login_defs - - accounts_password_pam_unix_remember - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_libuserconf - - no_empty_passwords - - # IA-7 - - installed_OS_is_FIPS_certified - - grub2_enable_fips_mode - - # MP-7 - - kernel_module_usb-storage_disabled - - kernel_module_bluetooth_disabled - - service_bluetooth_disabled - - # SC-39 - - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict - - sysctl_kernel_randomize_va_space - - selinux_confinement_of_daemons - - sebool_fips_mode diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile deleted file mode 100644 index a246d5a0948..00000000000 --- a/products/rhel7/profiles/rht-ccp.profile +++ /dev/null @@ -1,95 +0,0 @@ -documentation_complete: true - -title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - -description: |- - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for - Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified - Cloud Providers. - -selections: - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted - - sshd_idle_timeout_value=5_minutes - - var_accounts_minimum_age_login_defs=7 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_password_warn_age_login_defs=7 - - var_password_pam_retry=3 - - var_password_pam_dcredit=1 - - var_password_pam_ucredit=2 - - var_password_pam_ocredit=2 - - var_password_pam_lcredit=2 - - var_password_pam_difok=3 - - var_password_pam_unix_remember=5 - - var_accounts_user_umask=077 - - login_banner_text=usgcb_default - - partition_for_tmp - - partition_for_var - - partition_for_var_log - - partition_for_var_log_audit - - selinux_state - - selinux_policytype - - ensure_redhat_gpgkey_installed - - security_patches_up_to_date - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled - - package_aide_installed - - accounts_password_pam_unix_remember - - no_shelllogin_for_systemaccounts - - no_empty_passwords - - accounts_password_all_shadowed - - accounts_no_uid_except_zero - - accounts_minimum_age_login_defs - - accounts_password_warn_age_login_defs - - accounts_password_pam_retry - - accounts_password_pam_dcredit - - accounts_password_pam_ucredit - - accounts_password_pam_ocredit - - accounts_password_pam_lcredit - - accounts_password_pam_difok - - accounts_passwords_pam_faillock_deny - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_libuserconf - - require_singleuser_auth - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - file_permissions_etc_shadow - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - file_permissions_etc_gshadow - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - file_permissions_etc_passwd - - file_owner_etc_group - - file_groupowner_etc_group - - file_permissions_etc_group - - file_permissions_library_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_ownership_binary_dirs - - file_permissions_var_log_audit - - file_owner_grub2_cfg - - file_groupowner_grub2_cfg - - file_permissions_grub2_cfg - - grub2_password - - kernel_module_dccp_disabled - - kernel_module_sctp_disabled - - service_firewalld_enabled - - set_firewalld_default_zone - - firewalld_sshd_port_enabled - - service_abrtd_disabled - - service_telnet_disabled - - package_telnet-server_removed - - package_telnet_removed - - sshd_allow_only_protocol2 - - sshd_set_idle_timeout - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - disable_host_auth - - sshd_disable_root_login - - sshd_disable_empty_passwords - - sshd_enable_warning_banner - - sshd_do_not_permit_user_env - - sshd_use_approved_ciphers diff --git a/products/rhel7/profiles/standard.profile b/products/rhel7/profiles/standard.profile deleted file mode 100644 index ad5a791174e..00000000000 --- a/products/rhel7/profiles/standard.profile +++ /dev/null @@ -1,84 +0,0 @@ -documentation_complete: true - -title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - -description: |- - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. - -selections: - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - rpm_verify_permissions - - rpm_verify_hashes - - security_patches_up_to_date - - no_empty_passwords - - file_groupowner_etc_group - - file_owner_etc_group - - file_permissions_etc_group - - file_groupowner_etc_passwd - - file_owner_etc_passwd - - file_permissions_etc_passwd - - file_groupowner_etc_shadow - - file_owner_etc_shadow - - file_permissions_etc_shadow - - file_permissions_unauthorized_sgid - - file_permissions_unauthorized_suid - - file_permissions_unauthorized_world_writable - - accounts_root_path_dirs_no_write - - dir_perms_world_writable_sticky_bits - - mount_option_dev_shm_nodev - - mount_option_dev_shm_nosuid - - partition_for_var_log - - partition_for_var_log_audit - - package_rsyslog_installed - - service_rsyslog_enabled - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_stime - - audit_rules_time_clock_settime - - audit_rules_time_watch_localtime - - audit_rules_usergroup_modification - - audit_rules_networkconfig_modification - - audit_rules_mac_modification - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_unsuccessful_file_modification - - audit_rules_privileged_commands - - audit_rules_media_export - - audit_rules_file_deletion_events - - audit_rules_sysadmin_actions - - audit_rules_kernel_module_loading - - service_abrtd_disabled - - service_atd_disabled - - service_autofs_disabled - - service_ntpdate_disabled - - service_oddjobd_disabled - - service_qpidd_disabled - - service_rdisc_disabled - - service_auditd_enabled - - gid_passwd_group_same - - file_groupowner_grub2_cfg - - file_owner_grub2_cfg - - file_permissions_grub2_cfg - - file_groupowner_efi_grub2_cfg - - file_owner_efi_grub2_cfg - - file_permissions_efi_grub2_cfg - - file_groupowner_efi_user_cfg - - file_groupowner_user_cfg - - file_owner_efi_user_cfg - - file_owner_user_cfg - - file_permissions_efi_user_cfg - - file_permissions_user_cfg diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile deleted file mode 100644 index 08b9402fe83..00000000000 --- a/products/rhel7/profiles/stig.profile +++ /dev/null @@ -1,354 +0,0 @@ -documentation_complete: true - -metadata: - version: V3R14 - SMEs: - - ggbecker - -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - -title: 'DISA STIG for Red Hat Enterprise Linux 7' - -description: |- - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V3R14. - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this - configuration baseline as applicable to the operating system tier of - Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: - - - Red Hat Enterprise Linux Server - - Red Hat Enterprise Linux Workstation and Desktop - - Red Hat Enterprise Linux for HPC - - Red Hat Storage - - Red Hat Containers with a Red Hat Enterprise Linux 7 image - -selections: - - login_banner_text=dod_banners - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - sshd_idle_timeout_value=10_minutes - - var_accounts_fail_delay=4 - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_ucredit=1 - - var_accounts_passwords_pam_faillock_unlock_time=never - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_deny=3 - - var_password_pam_unix_remember=5 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_difok=8 - - var_password_pam_dcredit=1 - - var_password_pam_minclass=4 - - var_accounts_minimum_age_login_defs=1 - - var_password_pam_maxrepeat=3 - - var_accounts_maximum_age_login_defs=60 - - var_account_disable_post_pw_expiration=35 - - var_removable_partition=dev_cdrom - - var_auditd_action_mail_acct=root - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc - - var_accounts_user_umask=077 - - var_password_pam_retry=3 - - var_accounts_max_concurrent_login_sessions=10 - - var_accounts_tmout=15_min - - var_accounts_authorized_local_users_regex=rhel7 - - var_time_service_set_maxpoll=18_hours - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - rpm_verify_permissions - - rpm_verify_ownership - - rpm_verify_hashes - - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - banner_etc_issue - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_lock_locked - - dconf_gnome_enable_smartcard_auth - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_activation_locked - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_disable_ctrlaltdel_reboot - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - accounts_password_pam_ucredit - - accounts_password_pam_lcredit - - accounts_password_pam_dcredit - - accounts_password_pam_ocredit - - accounts_password_pam_difok - - accounts_password_pam_minclass - - accounts_password_pam_maxrepeat - - accounts_password_pam_maxclassrepeat - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_libuserconf - - accounts_minimum_age_login_defs - - accounts_password_set_min_life_existing - - accounts_maximum_age_login_defs - - accounts_password_set_max_life_existing - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - accounts_password_pam_minlen - - no_empty_passwords - - sshd_disable_empty_passwords - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_unlock_time - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - sudo_remove_nopasswd - - sudo_restrict_privilege_elevation_to_authorized - - sudo_remove_no_authenticate - - sudo_require_reauthentication - - sudoers_validate_passwd - - accounts_logon_fail_delay - - gnome_gdm_disable_automatic_login - - gnome_gdm_disable_guest_login - - sshd_do_not_permit_user_env - - disable_host_auth - - grub2_admin_username - - grub2_password - - require_singleuser_auth - - grub2_uefi_admin_username - - grub2_uefi_password - - smartcard_auth - - package_rsh-server_removed - - package_ypserv_removed - - selinux_user_login_roles - - package_aide_installed - - aide_build_database - - aide_periodic_cron_checking - - aide_scan_notification - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - kernel_module_usb-storage_disabled - - kernel_module_dccp_disabled - - service_autofs_disabled - - clean_components_post_updating - - selinux_state - - selinux_policytype - - disable_ctrlaltdel_reboot - - accounts_umask_etc_login_defs - - installed_OS_is_vendor_supported - - security_patches_up_to_date - - gid_passwd_group_same - - accounts_no_uid_except_zero - - no_files_unowned_by_user - - file_permissions_ungroupowned - - accounts_have_homedir_login_defs - - accounts_user_interactive_home_directory_exists - - file_permissions_home_directories - - file_ownership_home_directories - - file_groupownership_home_directories - - accounts_users_home_files_ownership - - accounts_users_home_files_groupownership - - accounts_users_home_files_permissions - - accounts_user_dot_user_ownership - - accounts_user_dot_group_ownership - - file_permission_user_init_files - - accounts_user_home_paths_only - - accounts_user_dot_no_world_writable_programs - - selinux_all_devicefiles_labeled - - mount_option_home_nosuid - - mount_option_nosuid_removable_partitions - - mount_option_nosuid_remote_filesystems - - dir_perms_world_writable_system_owned - - dir_perms_world_writable_system_owned_group - - accounts_umask_interactive_users - - rsyslog_cron_logging - - file_owner_cron_allow - - file_groupowner_cron_allow - - service_kdump_disabled - - partition_for_home - - partition_for_var - - partition_for_var_log_audit - - partition_for_tmp - - grub2_enable_fips_mode - - aide_verify_acls - - aide_verify_ext_attributes - - aide_use_fips_hashes - - grub2_no_removeable_media - - uefi_no_removeable_media - - package_telnet-server_removed - - service_auditd_enabled - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - - auditd_audispd_configure_remote_server - - auditd_audispd_encrypt_sent_records - - auditd_audispd_disk_full_action - - auditd_audispd_remote_daemon_activated - - auditd_audispd_remote_daemon_direction - - auditd_audispd_remote_daemon_path - - auditd_audispd_remote_daemon_type - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - auditd_data_retention_action_mail_acct - - audit_rules_suid_privilege_function - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_execution_semanage - - audit_rules_execution_setsebool - - audit_rules_execution_chcon - - audit_rules_execution_setfiles - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_dir=run - - audit_rules_login_events_lastlog - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_sysadmin_actions - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_chsh - - audit_rules_media_export - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_delete - - audit_rules_usergroup_modification_passwd - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - rsyslog_remote_loghost - - rsyslog_nolisten - - install_antivirus - - accounts_max_concurrent_login_sessions - - configure_firewalld_ports - - sshd_use_approved_ciphers_ordered_stig - - sshd_use_approved_kex_ordered_stig - - accounts_tmout - - sshd_enable_warning_banner - - sssd_ldap_start_tls - - sssd_ldap_start_tls.severity=medium - - sssd_ldap_configure_tls_ca - - sssd_ldap_configure_tls_reqcert - - sysctl_kernel_randomize_va_space - - package_openssh-server_installed - - sshd_required=yes - - service_sshd_enabled - - sshd_set_idle_timeout - - sshd_disable_rhosts - - sshd_disable_rhosts_rsa - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - sshd_print_last_log - - sshd_disable_root_login - - sshd_allow_only_protocol2 - - sshd_use_approved_macs_ordered_stig - - file_permissions_sshd_pub_key - - file_permissions_sshd_private_key - - sshd_disable_gssapi_auth - - sshd_disable_kerb_auth - - sshd_enable_strictmodes - - sshd_use_priv_separation - - sshd_disable_compression - - sshd_disable_user_known_hosts - - chronyd_or_ntpd_set_maxpoll - - service_firewalld_enabled - - display_login_attempts - - no_user_host_based_files - - no_host_based_files - - network_configure_name_resolution - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_send_redirects - - network_sniffer_disabled - - postfix_prevent_unrestricted_relay - - package_vsftpd_removed - - package_tftp-server_removed - - sshd_disable_x11_forwarding - - sshd_x11_use_localhost - - tftpd_uses_secure_mode - - xwindows_remove_packages - - sysctl_net_ipv4_ip_forward - - mount_option_krb_sec_remote_filesystems - - snmpd_not_default_password - - set_firewalld_default_zone - - libreswan_approved_tunnels - - sysctl_net_ipv6_conf_all_accept_source_route - - install_smartcard_packages - - sssd_enable_pam_services - - smartcard_configure_cert_checking - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - - accounts_password_pam_retry - - mount_option_noexec_remote_filesystems - - auditd_audispd_network_failure_action - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - sysctl_net_ipv4_conf_all_accept_redirects - - wireless_disable_interfaces - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - audit_rules_privileged_commands_mount - - file_ownership_var_log_audit - - file_permissions_var_log_audit - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter - - package_mcafeetp_installed - - agent_mfetpd_running - - accounts_authorized_local_users - - auditd_overflow_action - - auditd_name_format - - var_auditd_name_format=stig - - sebool_ssh_sysadm_login - - sudoers_default_includedir - - package_aide_installed - - selinux_context_elevation_for_sudo - - audit_rules_kernel_module_loading_create - - account_temp_expire_date - - package_screen_installed - - sysctl_kernel_dmesg_restrict - - aide_build_database - - authconfig_config_files_symlinks - - no_empty_passwords_etc_shadow - - disallow_bypass_password_sudo - - selinux_confine_to_least_privilege - - ensure_redhat_gpgkey_installed - - dconf_gnome_disable_user_list - - package_mailx_installed diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile deleted file mode 100644 index dff11ae3bab..00000000000 --- a/products/rhel7/profiles/stig_gui.profile +++ /dev/null @@ -1,35 +0,0 @@ -documentation_complete: true - -metadata: - version: V3R14 - SMEs: - - ggbecker - -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - -title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' - -description: |- - This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux V3R14. - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this - configuration baseline as applicable to the operating system tier of - Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: - - - Red Hat Enterprise Linux Server - - Red Hat Enterprise Linux Workstation and Desktop - - Red Hat Enterprise Linux for HPC - - Red Hat Storage - - Red Hat Containers with a Red Hat Enterprise Linux 7 image - - Warning: The installation and use of a Graphical User Interface (GUI) - increases your attack vector and decreases your overall security posture. If - your Information Systems Security Officer (ISSO) lacks a documented operational - requirement for a graphical user interface, please consider using the - standard DISA STIG for Red Hat Enterprise Linux 7 profile. - -extends: stig - -selections: - - '!xwindows_remove_packages' diff --git a/products/rhel7/transforms/constants.xslt b/products/rhel7/transforms/constants.xslt deleted file mode 100644 index c767d118d48..00000000000 --- a/products/rhel7/transforms/constants.xslt +++ /dev/null @@ -1,15 +0,0 @@ - - - - -Red Hat Enterprise Linux 7 -RHEL 7 -RHEL_7_STIG -rhel7 - - - -https://www.cisecurity.org/benchmark/red_hat_linux/ - - - diff --git a/products/rhel7/transforms/table-style.xslt b/products/rhel7/transforms/table-style.xslt deleted file mode 100644 index 8b6caeab8cd..00000000000 --- a/products/rhel7/transforms/table-style.xslt +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/products/rhel7/transforms/xccdf-apply-overlay-stig.xslt b/products/rhel7/transforms/xccdf-apply-overlay-stig.xslt deleted file mode 100644 index 4789419b80a..00000000000 --- a/products/rhel7/transforms/xccdf-apply-overlay-stig.xslt +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - diff --git a/products/rhel7/transforms/xccdf2table-cce.xslt b/products/rhel7/transforms/xccdf2table-cce.xslt deleted file mode 100644 index f156a669566..00000000000 --- a/products/rhel7/transforms/xccdf2table-cce.xslt +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/products/rhel7/transforms/xccdf2table-profileccirefs.xslt b/products/rhel7/transforms/xccdf2table-profileccirefs.xslt deleted file mode 100644 index 30419e92b28..00000000000 --- a/products/rhel7/transforms/xccdf2table-profileccirefs.xslt +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 77f3ff57b4c..71cce48024a 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -58,7 +58,7 @@ present in %{name} package. %define centos_8_specific %{nil} %if 0%{?_rhel_like} -%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{_rhel_like}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{_rhel_like}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON %endif %if 0%{?fedora} %define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_FEDORA:BOOLEAN=TRUE diff --git a/shared/applicability/centos7.yml b/shared/applicability/centos7.yml deleted file mode 100644 index 7d16a381683..00000000000 --- a/shared/applicability/centos7.yml +++ /dev/null @@ -1,3 +0,0 @@ -name: cpe:/o:centos:centos:7 -title: CentOS 7 -check_id: installed_OS_is_centos7 diff --git a/shared/applicability/oval/installed_app_is_rhv4.xml b/shared/applicability/oval/installed_app_is_rhv4.xml index ac3c616e114..b55f5fb7eb6 100644 --- a/shared/applicability/oval/installed_app_is_rhv4.xml +++ b/shared/applicability/oval/installed_app_is_rhv4.xml @@ -12,7 +12,6 @@ Red Hat Virtualization 4. - diff --git a/shared/applicability/sl7.yml b/shared/applicability/sl7.yml deleted file mode 100644 index 76f0a1374ff..00000000000 --- a/shared/applicability/sl7.yml +++ /dev/null @@ -1,3 +0,0 @@ -name: cpe:/o:scientificlinux:scientificlinux:7 -title: Scientific Linux 7 -check_id: installed_OS_is_sl7 diff --git a/shared/checks/oval/installed_OS_is_centos7.xml b/shared/checks/oval/installed_OS_is_centos7.xml deleted file mode 100644 index 6ce9ed02f82..00000000000 --- a/shared/checks/oval/installed_OS_is_centos7.xml +++ /dev/null @@ -1,33 +0,0 @@ - - - - CentOS 7 - - multi_platform_all - - - The operating system installed on the system is - CentOS 7 - - - - - - - - - - - - - ^7.*$ - - - centos-release - - - diff --git a/shared/checks/oval/installed_OS_is_rhel7.xml b/shared/checks/oval/installed_OS_is_rhel7.xml deleted file mode 100644 index 126150c7db1..00000000000 --- a/shared/checks/oval/installed_OS_is_rhel7.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - Red Hat Enterprise Linux 7 - - multi_platform_all - - - The operating system installed on the system is - Red Hat Enterprise Linux 7 - - - - - - - - - - - - - - - - - - - - - - unix - - - - - - - - - ^7.*$ - - - redhat-release-client - - - - - - - - ^7.*$ - - - redhat-release-workstation - - - - - - - - ^7.*$ - - - redhat-release-server - - - - - - - - ^7.*$ - - - redhat-release-computenode - - - - - - - - /etc/redhat-release - ^Red Hat Enterprise Linux release (\d)\.\d+$ - 1 - - - 7 - - - diff --git a/shared/checks/oval/installed_OS_is_sl7.xml b/shared/checks/oval/installed_OS_is_sl7.xml deleted file mode 100644 index da5524eb015..00000000000 --- a/shared/checks/oval/installed_OS_is_sl7.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - Scientific Linux 7 - - multi_platform_all - - - The operating system installed on the system is - Scientific Linux 7 - - - - - - - - - - - - - - ^7.*$ - - - - sl-release - - - diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index 5b80e6a9403..5c0d89b3f4c 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -351,7 +351,7 @@ Describe allowing access to a service in firewalld. To configure the system to prevent the {{{ module }}} kernel module from being loaded, add the following line to the file /etc/modprobe.d/{{{ module }}}.conf:
install {{{ module }}} /bin/true
- {{% if "ol" in product or product in ["rhel7", "rhel8"] %}} + {{% if "ol" in product or product in ["rhel8"] %}} To configure the system to prevent the {{{ module }}} from being used, add the following line to file /etc/modprobe.d/{{{ module }}}.conf:
blacklist {{{ module }}}
@@ -1053,7 +1053,7 @@ Operator see #}} {{%- macro describe_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10"] or 'ubuntu' in product -%}} To ensure that {{{ arg_name_value }}} is added as a kernel command line argument to newly installed kernels, add {{{ arg_name_value }}} to the default Grub2 command line for Linux operating systems. Modify the line within diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 38f48e648da..363010ff671 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1268,7 +1268,7 @@ Part of the grub2_bootloader_argument template. #}} {{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value) -%}} -{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}} - name: Check {{{ arg_name }}} argument exists command: grep '^\s*GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=' /etc/default/grub failed_when: False @@ -1326,7 +1326,7 @@ Part of the grub2_bootloader_argument_absent template. #}} {{%- macro ansible_grub2_bootloader_argument_absent(arg_name) -%}} -{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}} - name: Check {{{ arg_name }}} argument exists command: grep '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' /etc/default/grub failed_when: False diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 167730a4458..acd692c86a4 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1793,7 +1793,7 @@ Part of the grub2_bootloader_argument template. #}} {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} -{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}} {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}} {{% endif -%}} {{{ grub_command("add", arg_name_value) }}} @@ -1824,7 +1824,7 @@ Part of the grub2_bootloader_argument_absent template. #}} {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} -{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15'] %}} {{{ update_etc_default_grub_manually_absent(arg_name) }}} {{% endif -%}} {{{ grub_command("remove", arg_name) }}} diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 57cea30d3d2..1f841957be1 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -322,7 +322,7 @@ $ sudo sysctl --system #}} {{% macro fixtext_grub2_bootloader_argument(argument, value) %}} -{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15'] %}} Update the GRUB_CMDLINE_LINUX line in '/etc/default/grub' so that it contains {{{ argument }}}={{{ value }}}. {{% endif -%}} @@ -342,7 +342,7 @@ $ sudo {{{ grub_command("add", argument + "=" + value) }}} #}} {{% macro fixtext_grub2_bootloader_argument_absent(argument) %}} -{{%- if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] -%}} +{{%- if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15'] -%}} Update the GRUB_CMDLINE_LINUX line in '/etc/default/grub' so that it does not contain any occurrence of {{{ argument }}} using the following command: $ sudo sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ argument }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 7ac489f1ee7..54c6162a107 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -721,7 +721,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' If the system is configured to prevent the loading of the {{{ module }}} kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - {{% if "ol" in product or product in ["rhel7", "rhel8"] %}} + {{% if "ol" in product or product in ["rhel8"] %}} These lines can also instruct the module loading system to ignore the {{{ module }}} kernel module via blacklist keyword. {{% endif %}} Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: @@ -1047,7 +1047,7 @@ ocil_clause: "the correct value is not returned" The parameter should have form `parameter=value`. #}} {{%- macro ocil_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10"] or 'ubuntu' in product -%}} Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes {{{ arg_name_value }}}, then the parameter will be configured for newly installed kernels. diff --git a/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml deleted file mode 100644 index 77da6ecf948..00000000000 --- a/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml +++ /dev/null @@ -1,4855 +0,0 @@ -acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 14 Benchmark Date: 24 Jan 20243.4.1.229161.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. - -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: - - # rpm -qf <filename> - -Reset the user and group ownership of files within a package with the following command: - - # rpm --setugids <packagename> - - -Reset the permissions of files within a package with the following command: - - # rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. - -Check the default file permissions, ownership, and group membership of system files and commands with the following command: - - # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done - - /var/log/gdm 040755 root root - /etc/audisp/audisp-remote.conf 0100640 root root - /usr/bin/passwd 0104755 root root - -For each file returned, verify the current permissions, ownership, and group membership: - # ls -la <filename> - - -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf - -If the file is more permissive than the default permissions, this is a finding. - -If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding. - -If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010030The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71859SV-86483CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/01-banner-message - -Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": - -[org/gnome/login-screen] -banner-message-enable=true - -Update the system databases: - -# dconf update - -Users must log out and back in again before the system-wide settings take effect.Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if the operating system displays a banner at the logon screen with the following command: - -# grep banner-message-enable /etc/dconf/db/local.d/* -banner-message-enable=true - -If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010040The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71861SV-86485CCI-000048Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. - -Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/01-banner-message - -Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": - -[org/gnome/login-screen] - -banner-message-enable=true - -banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' - -Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. - -Run the following command to update the database: -# dconf updateVerify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. - -Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. - -Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command: - -# grep banner-message-text /etc/dconf/db/local.d/* -banner-message-text= -'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' - -Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. - -If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010050The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71863SV-86487CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file. - -Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. - -Check to see if the operating system displays a banner at the command line logon screen with the following command: - -# more /etc/issue - -The command should return the following text: -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - -If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-07-010060The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86515V-71891CCI-000056Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: - - # touch /etc/dconf/db/local.d/00-screensaver - -Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: - - # Set this to true to lock the screen when the screensaver activates - lock-enabled=true - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect.Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if the screen lock is enabled with the following command: - - # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks - lock-enabled=true - -If the "lock-enabled" setting is missing or is not set to "true", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-010061The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.<VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77819SV-92515CCI-001948CCI-001953CCI-001954Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - -# touch /etc/dconf/db/local.d/00-defaults - -Edit "[org/gnome/login-screen]" and add or update the following line: -enable-smartcard-authentication=true - -Update the system databases: -# dconf updateVerify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: - -# grep system-db /etc/dconf/profile/user - -system-db:local - -Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used. - -# grep enable-smartcard-authentication /etc/dconf/db/local.d/* - -enable-smartcard-authentication=true - -If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010070The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71893SV-86517CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: - - [org/gnome/desktop/session] - # Set the lock time out to 900 seconds before the session is considered idle - idle-delay=uint32 900 - -You must include the "uint32" along with the integer key values as shown. - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: - - # grep -i idle-delay /etc/dconf/db/local.d/* - idle-delay=uint32 900 - -If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010081The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver lock delay: - - /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: - # grep system-db /etc/dconf/profile/user - system-db:local - -Check for the lock delay setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - - # grep -i lock-delay /etc/dconf/db/local.d/locks/* - /org/gnome/desktop/screensaver/lock-delay - -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010082The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the session idle delay: - - /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: - # grep system-db /etc/dconf/profile/user - system-db:local - -Check for the session idle delay setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - - # grep -i idle-delay /etc/dconf/db/local.d/locks/* - /org/gnome/desktop/session/idle-delay - -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010100The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable screensaver locking after 15 minutes of inactivity: - - [org/gnome/desktop/screensaver] - - idle-activation-enabled=true - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Note: If the system does not have a GNOME installed, this requirement is Not Applicable. - -Check for the session lock settings with the following commands: - - # grep -i idle-activation-enabled /etc/dconf/db/local.d/* - idle-activation-enabled=true - -If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010101The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver idle-activation-enabled setting: - - /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: - # grep system-db /etc/dconf/profile/user - - system-db:local - -Check for the idle-activation-enabled setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - - # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* - - /org/gnome/desktop/screensaver/idle-activation-enabled - -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010110The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable session locking when a screensaver is activated: - - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - -The "uint32" must be included along with the integer key values as shown. - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command: - - # grep -i lock-delay /etc/dconf/db/local.d/* - lock-delay=uint32 5 - -If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010118The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.<VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95715V-81003CCI-000192Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. - -Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value): - -password substack system-authVerify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords: - -# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth -password substack system-auth - -If no results are returned, the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010119The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87811V-73159CCI-000192Configure the operating system to use "pwquality" to enforce password complexity rules. - -Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value): - - password requisite pam_pwquality.so retry=3 - -Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. - -Check for the use of "pwquality" with the following command: - - # cat /etc/pam.d/system-auth | grep pam_pwquality - - password requisite pam_pwquality.so retry=3 - -If the command does not return an uncommented line containing the value "pam_pwquality.so" as shown, this is a finding. - -If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010120The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86527V-71903CCI-000192Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ucredit = -1Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: - -# grep ucredit /etc/security/pwquality.conf -ucredit = -1 - -If the value of "ucredit" is not set to a negative value, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-07-010130The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86529V-71905CCI-000193Configure the system to require at least one lower-case character when creating or changing a password. - -Add or modify the following line -in "/etc/security/pwquality.conf": - -lcredit = -1Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: - -# grep lcredit /etc/security/pwquality.conf -lcredit = -1 - -If the value of "lcredit" is not set to a negative value, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-07-010140The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86531V-71907CCI-000194Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. - -Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - -dcredit = -1Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: - -# grep dcredit /etc/security/pwquality.conf -dcredit = -1 - -If the value of "dcredit" is not set to a negative value, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-07-010150The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86533V-71909CCI-001619Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ocredit = -1Verify the operating system enforces password complexity by requiring that at least one special character be used. - -Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: - -# grep ocredit /etc/security/pwquality.conf -ocredit=-1 - -If the value of "ocredit" is not set to a negative value, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010160The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71911SV-86535CCI-000195Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -difok = 8The "difok" option sets the number of characters in a password that must not be present in the old password. - -Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: - -# grep difok /etc/security/pwquality.conf -difok = 8 - -If the value of "difok" is set to less than "8", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010170The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71913SV-86537CCI-000195Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -minclass = 4The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). - -Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: - -# grep minclass /etc/security/pwquality.conf -minclass = 4 - -If the value of "minclass" is set to less than "4", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010180The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86539V-71915CCI-000195Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -maxrepeat = 3The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. - -Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - -# grep maxrepeat /etc/security/pwquality.conf -maxrepeat = 3 - -If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86541V-71917CCI-000195Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. - -Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): - -maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. - -Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: - -$ sudo grep maxclassrepeat /etc/security/pwquality.conf -maxclassrepeat = 4 - -If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add the following line in "/etc/pam.d/system-auth": - password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -Add the following line in "/etc/pam.d/password-auth": - password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. - -Check that the system is configured to create SHA512 hashed passwords with the following command: - - # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth - -Outcome should look like following: - /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010210The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71921SV-86545CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/login.defs": - -ENCRYPT_METHOD SHA512Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. - -Check that the system is configured to create SHA512 hashed passwords with the following command: - -# grep -i encrypt /etc/login.defs -ENCRYPT_METHOD SHA512 - -If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/libuser.conf" in the [defaults] section: - -crypt_style = sha512Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512". - -Check that the system is configured to create "SHA512" hashed passwords with the following command: - -# grep -i sha512 /etc/libuser.conf - -crypt_style = sha512 - -If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010230The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71925SV-86549CCI-000198Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. - -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: - -# grep -i pass_min_days /etc/login.defs -PASS_MIN_DAYS 1 - -If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010240The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86551V-71927CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - -# chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. - -# awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow - -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010250The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71929SV-86553CCI-000199Configure the operating system to enforce a 60-day maximum password lifetime restriction. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MAX_DAYS 60If passwords are not being used for authentication, this is Not Applicable. - -Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts. - -Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command: - -# grep -i pass_max_days /etc/login.defs -PASS_MAX_DAYS 60 - -If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010260The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71931SV-86555CCI-000199Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. - -# chage -M 60 [user]Check whether the maximum time period for existing passwords is restricted to 60 days. - -# awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow - -If any results are returned that are not associated with a system account, this is a finding. -SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-07-010270The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71933SV-86557CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. - -Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value): - -password requisite pam_pwhistory.so remember=5 retry=3 - -Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value): - -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations. - -Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: - - # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth - password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - -If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-07-010280The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71935SV-86559CCI-000205Configure operating system to enforce a minimum 15-character password length. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. - -Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: - -# grep minlen /etc/security/pwquality.conf -minlen = 15 - -If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. - -Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: - - # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth - -If this produces any output, it may be possible to log on with accounts with empty passwords. - -If null passwords can be used, this is a finding.SRG-OS-000106-GPOS-00053<GroupDescription></GroupDescription>RHEL-07-010300The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86563V-71939CCI-000766To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": - -PermitEmptyPasswords no - -The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: - -# grep -i PermitEmptyPasswords /etc/ssh/sshd_config -PermitEmptyPasswords no - -If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. - -If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password has expired. - -Add the following line to "/etc/default/useradd" (or modify the line to have the required value): - - INACTIVE=35 - -DOD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.If passwords are not being used for authentication, this is Not Applicable. - -Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password has expired with the following command: - - # grep -i inactive /etc/default/useradd - INACTIVE=35 - -If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. - -Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: - - # grep pam_faillock.so /etc/pam.d/password-auth - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -Note: The maximum configurable value for "unlock_time" is "604800". - -If any line referencing the "pam_faillock.so" module is commented out, this is a finding. - - # grep pam_faillock.so /etc/pam.d/system-auth - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. - -If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding. - -Note: The maximum configurable value for "unlock_time" is "604800". - -If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. - -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71945SV-86569CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. - -Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. - - # grep pam_faillock.so /etc/pam.d/password-auth - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. - - # grep pam_faillock.so /etc/pam.d/system-auth - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so - -If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71947SV-86571CCI-002038Configure the operating system to require users to supply a password for privilege escalation. - -Check the configuration of the "/etc/sudoers" file with the following command: -$ sudo visudo - -Remove any occurrences of "NOPASSWD" tags in the file. - -Check the configuration of the /etc/sudoers.d/* files with the following command: -$ sudo grep -ir nopasswd /etc/sudoers.d - -Remove any occurrences of "NOPASSWD" tags in the file.Verify the operating system requires users to supply a password for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d - -If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71949SV-86573CCI-002038Configure the operating system to require users to reauthenticate for privilege escalation. - -Check the configuration of the "/etc/sudoers" file with the following command: - -# visudo -Remove any occurrences of "!authenticate" tags in the file. - -Check the configuration of the "/etc/sudoers.d/*" files with the following command: - -# grep -i authenticate /etc/sudoers /etc/sudoers.d/* -Remove any occurrences of "!authenticate" tags in the file(s).Verify the operating system requires users to reauthenticate for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -# grep -i authenticate /etc/sudoers /etc/sudoers.d/* - -If any uncommented line is found with a "!authenticate" tag, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-07-010430The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86575V-71951CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. - -Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: - -FAIL_DELAY 4Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. - -Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command: - -# grep -i fail_delay /etc/login.defs -FAIL_DELAY 4 - -If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010440The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71953SV-86577CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -AutomaticLoginEnable=falseVerify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: - -# grep -i automaticloginenable /etc/gdm/custom.conf -AutomaticLoginEnable=false - -If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010450The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71955SV-86579CCI-000366Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -TimedLoginEnable=falseVerify the operating system does not allow an unrestricted logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command: - -# grep -i timedloginenable /etc/gdm/custom.conf -TimedLoginEnable=false - -If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010460The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86581V-71957CCI-000366Configure the operating system to not allow users to override environment variables to the SSH daemon. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": - -PermitUserEnvironment no - -The SSH service must be restarted for changes to take effect.Verify the operating system does not allow users to override environment variables to the SSH daemon. - -Check for the value of the "PermitUserEnvironment" keyword with the following command: - -# grep -i permituserenvironment /etc/ssh/sshd_config -PermitUserEnvironment no - -If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010470The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86583V-71959CCI-000366Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": - -HostbasedAuthentication no - -The SSH service must be restarted for changes to take effect.Verify the operating system does not allow a non-certificate trusted host SSH logon to the system. - -Check for the value of the "HostbasedAuthentication" keyword with the following command: - -# grep -i hostbasedauthentication /etc/ssh/sshd_config -HostbasedAuthentication no - -If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010481The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77823SV-92519CCI-000213Configure the operating system to require authentication upon booting into single-user and maintenance modes. - -Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin": - -ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"Verify the operating system must require authentication upon booting into single-user and maintenance modes. - -Check that the operating system requires authentication upon booting into single-user mode with the following command: - -# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin - -ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" - -If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. - -Generate an encrypted grub2 password for the grub superusers account with the following command: - -$ sudo grub2-setpassword -Enter password: -Confirm password:For systems that use UEFI, this is Not Applicable. - -For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command: - -$ sudo grep -iw grub2_password /boot/grub2/user.cfg -GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] - -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. - -Generate an encrypted grub2 password for the grub superusers account with the following command: - -$ sudo grub2-setpassword -Enter password: -Confirm password:For systems that use BIOS, this is Not Applicable. - -For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: - -$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg -GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] - -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: - -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; - -and - -2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - -Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71965SV-86589CCI-000766Configure the operating system to require individuals to be authenticated with a multifactor authenticator. - -Enable smartcard logons with the following commands: - -# authconfig --enablesmartcard --smartcardaction=0 --update -# authconfig --enablerequiresmartcard -update - -Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line: - -#/usr/X11R6/bin/xscreensaver-command -lock - -Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. - -Check to see if smartcard authentication is enforced on the system: - -# authconfig --test | grep "pam_pkcs11 is enabled" - -If no results are returned, this is a finding. - -# authconfig --test | grep "smartcard removal action" - -If "smartcard removal action" is blank, this is a finding. - -# authconfig --test | grep "smartcard module" - -If any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020000The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. - -If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71967SV-86591CCI-000381Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: - -# yum remove rsh-serverCheck to see if the rsh-server package is installed with the following command: - -# yum list installed rsh-server - -If the rsh-server package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020010The Red Hat Enterprise Linux operating system must not have the ypserv package installed.<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71969SV-86593CCI-000381Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command: - -# yum remove ypservThe NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -Check to see if the "ypserve" package is installed with the following command: - -# yum list installed ypserv - -If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Use the following command to map a new user to the "staff_u" SELinux user: - - $ sudo semanage login -a -s staff_u <username> - -Use the following command to map an existing user to the "staff_u" SELinux user: - - $ sudo semanage login -m -s staff_u <username> - -Use the following command to map a new user to the "user_u" SELinux user: - - $ sudo semanage login -a -s user_u <username> - -Use the following command to map an existing user to the "user_u" SELinux user: - - $ sudo semanage login -m -s user_u <username>Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Get a list of authorized users for the system. - -Check the list against the system by using the following command: - - $ sudo semanage login -l | more - - Login Name SELinux User MLS/MCS Range Service - - __default__ user_u s0-s0:c0.c1023 * - root unconfined_u s0-s0:c0.c1023 * - system_u system_u s0-s0:c0.c1023 * - joe staff_u s0-s0:c0.c1023 * - -All administrators must be mapped to the , "staff_u", or an appropriately tailored confined SELinux user as defined by the organization. - -All authorized non-administrative users must be mapped to the "user_u" SELinux user. - -If they are not mapped in this way, this is a finding. -If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding. -If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. - -The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: - - # more /etc/cron.daily/aide - #!/bin/bash - - /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil - -Note: Per requirement RHEL-07-020028, the "mailx" package must be installed on the system to enable email functionality.Verify the operating system routinely checks the baseline configuration for unauthorized changes. - -Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. - -Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence. - -Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: - - # ls -al /etc/cron.* | grep aide - -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide - - # grep aide /etc/crontab /var/spool/cron/root - /etc/crontab: 30 04 * * * root /usr/sbin/aide --check - /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check - -If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. - -The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. - - # more /etc/cron.daily/aide - - /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil - -Note: Per requirement RHEL-07-020028, the "mailx" package must be installed on the system to enable email functionality.Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. - -Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert. - -Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. - -Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: - - # ls -al /etc/cron.* | grep aide - -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide - - # grep aide /etc/crontab /var/spool/cron/root - /etc/crontab: 30 04 * * * root /usr/sbin/aide --check - /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check - -AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example: - - # more /etc/cron.daily/aide - #!/bin/bash - - /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil - -If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020050The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71977SV-86601CCI-001749Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file: - -gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. - -Check that yum verifies the signature of packages from a repository prior to install with the following command: - -# grep gpgcheck /etc/yum.conf -gpgcheck=1 - -If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - -If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71979SV-86603CCI-001749Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file: - -localpkg_gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. - -Check that yum verifies the signature of local packages prior to install with the following command: - -# grep localpkg_gpgcheck /etc/yum.conf -localpkg_gpgcheck=1 - -If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. - -If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86607V-71983CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to use the USB Storage kernel module. - -Create a file under "/etc/modprobe.d" with the following command: - - # touch /etc/modprobe.d/usb-storage.conf - -Add the following line to the created file: - - install usb-storage /bin/false - -Configure the operating system to disable the ability to use USB mass storage devices. - - # vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - - blacklist usb-storageVerify the operating system disables the ability to load the USB Storage kernel module. - - # grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#" - install usb-storage /bin/false - -If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - -Verify the operating system disables the ability to use USB mass storage devices. - -Check to see if USB mass storage is disabled with the following command: - - # grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" - blacklist usb-storage - -If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-07-020101The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77821SV-92517CCI-001958Configure the operating system to disable the ability to use the DCCP kernel module. - -Create a file under "/etc/modprobe.d" with the following command: - - # touch /etc/modprobe.d/dccp.conf - -Add the following line to the created file: - - install dccp /bin/false - -Ensure that the DCCP module is blacklisted: - - # vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - - blacklist dccpVerify the operating system disables the ability to load the DCCP kernel module. - - # grep -r dccp /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#" - install dccp /bin/false - -If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - -Verify the operating system disables the ability to use the DCCP kernel module. - -Check to see if the DCCP kernel module is disabled with the following command: - - # grep -i dccp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" - blacklist dccp - -If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020110The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71985SV-86609CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to automount devices. - -Turn off the automount service with the following commands: - -# systemctl stop autofs -# systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the operating system disables the ability to automount devices. - -Check to see if automounter service is active with the following command: - -# systemctl status autofs -autofs.service - Automounts filesystems on demand - Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) - Active: inactive (dead) - -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-07-020200The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71987SV-86611CCI-002617Configure the operating system to remove all software components after updated versions have been installed. - -Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file: - -clean_requirements_on_remove=1Verify the operating system removes all software components after updated versions have been installed. - -Check if yum is configured to remove unneeded packages with the following command: - -# grep -i clean_requirements_on_remove /etc/yum.conf -clean_requirements_on_remove=1 - -If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020210The Red Hat Enterprise Linux operating system must enable SELinux.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71989SV-86613CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions. - -Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line: - - SELINUX=enforcing - -A reboot is required for the changes to take effect.Verify the operating system verifies correct operation of all security functions. - -Check if "SELinux" is active and in "Enforcing" mode with the following command: - - # getenforce - Enforcing - -If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020220The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71991SV-86615CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions. - -Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: - - SELINUXTYPE=targeted - -A reboot is required for the changes to take effect.Verify the operating system verifies correct operation of all security functions. - -Check if "SELinux" is active and is enforcing the targeted policy with the following command: - - # sestatus - SELinux status: enabled - SELinuxfs mount: /selinux - SELinux root directory: /etc/selinux - Loaded policy name: targeted - Current mode: enforcing - Mode from config file: enforcing - Policy MLS status: enabled - Policy deny_unknown status: allowed - Max kernel policy version: 28 - -If the "Loaded policy name" is not set to "targeted", this is a finding. - -Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted": - - # grep -i "selinuxtype" /etc/selinux/config | grep -v '^#' - SELINUXTYPE = targeted - -If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020230The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86617V-71993CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: - - # systemctl disable ctrl-alt-del.target - - # systemctl mask ctrl-alt-del.targetVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. - -Check that the ctrl-alt-del.target is masked and not active with the following command: - - # systemctl status ctrl-alt-del.target - - ctrl-alt-del.target - Loaded: masked (/dev/null; bad) - Active: inactive (dead) - -If the ctrl-alt-del.target is not masked, this is a finding. - -If the ctrl-alt-del.target is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020231The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-94843SV-104673CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command: - -# touch /etc/dconf/db/local.d/00-disable-CAD - -Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: - -[org/gnome/settings-daemon/plugins/media-keys] -logout=''Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. - -Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. - -Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command: - -# grep logout /etc/dconf/db/local.d/* - -logout='' - -If "logout" is not set to use two single quotations, or is missing, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>RHEL-07-020240The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86619V-71995CCI-000366Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - -Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": - -UMASK 077Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. - -Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command: - -Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. - -# grep -i umask /etc/login.defs -UMASK 077 - -If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020250The Red Hat Enterprise Linux operating system must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - -Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86621V-71997CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. - -Check the version of the operating system with the following command: - -# cat /etc/redhat-release - -Red Hat Enterprise Linux Server release 7.9 (Maipo) - -Current End of Extended Update Support for RHEL 7.6 is 31 May 2021. - -Current End of Extended Update Support for RHEL 7.7 is 30 August 2021. - -Current End of Maintenance Support for RHEL 7.9 is 30 June 2024. - -If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). - -Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. - -Check that the available package security updates have been installed on the system with the following command: - -# yum history list | more -Loaded plugins: langpacks, product-id, subscription-manager -ID | Command line | Date and time | Action(s) | Altered -------------------------------------------------------------------------------- - 70 | install aide | 2016-05-05 10:58 | Install | 1 - 69 | update -y | 2016-05-04 14:34 | Update | 18 EE - 68 | install vlc | 2016-04-21 17:12 | Install | 21 - 67 | update -y | 2016-04-21 17:04 | Update | 7 EE - 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE - -If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. - -Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. - -If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. - -Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. - -Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account. - -Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). - -Check the system accounts on the system with the following command: - -# more /etc/passwd -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/sbin/nologin -daemon:x:2:2:daemon:/sbin:/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -games:x:12:100:games:/usr/games:/sbin/nologin -gopher:x:13:30:gopher:/var/gopher:/sbin/nologin - -Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. - -If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-020300The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72003SV-86627CCI-000764Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file. - -Check that all referenced GIDs exist with the following command: - -# pwck -r - -If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". - -If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command: - -# awk -F: '$3 == 0 {print $1}' /etc/passwd - -If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020320The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86631V-72007CCI-002165Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: - -# chown <user> <file>Verify all files and directories on the system have a valid owner. - -Check the owner of all files and directories with the following command: - -Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. - -# find / -fstype xfs -nouser - -If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020330The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72009SV-86633CCI-002165Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: - -# chgrp <group> <file>Verify all files and directories on the system have a valid group. - -Check the owner of all files and directories with the following command: - -Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. - -# find / -fstype xfs -nogroup - -If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020610The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72013SV-86637CCI-000366Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. - -CREATE_HOME yesVerify all local interactive users on the system are assigned a home directory upon creation. - -Check to see if the system is configured to create home directories for local interactive users with the following command: - -# grep -i create_home /etc/login.defs -CREATE_HOME yes - -If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020620The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72015SV-86639CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd". - -# mkdir /home/smithj -# chown smithj /home/smithj -# chgrp users /home/smithj -# chmod 0750 /home/smithjVerify local interactive users on the system have a home directory assigned and the directory exists. - -Check the home directory assignment for all local interactive non-privileged users on the system with the following command: - -# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd - -smithj 1001 /home/smithj - -Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. - -Check that all referenced home directories exist with the following command: - -# pwck -r -user 'smithj': directory '/home/smithj' does not exist - -If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020630The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86641V-72017CCI-000366Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: - -Note: The example will be for the user "smithj". - -# chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users has a mode of "0750" or less permissive. - -Check the home directory assignment for all non-privileged users on the system with the following command: - -Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. - -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj - -If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020640The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.<VulnDiscussion>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86643V-72019CCI-000366Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj". - -# chown smithj /home/smithjVerify the assigned home directory of all local interactive users on the system exists. - -Check the home directory assignment for all local interactive users on the system with the following command: - -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj - -If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. - - # chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. - -Check the home directory assignment for all local interactive users on the system with the following command: - - # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj - -Check the user's primary group with the following command: - - # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group - users:x:250:smithj,marinc,chongt - -If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 7 with the "chown" command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj". - -$ sudo chown smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user's home directory have a valid owner. - -Check the owner of all files and directories in a local interactive user's home directory with the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -$ sudo ls -lLR /home/smithj --rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 --rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3 - -If any files or directories are found without an owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020670The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72025SV-86649CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. - -# chgrp users /home/smithj/<file>Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of. - -Check the group owner of all files and directories in a local interactive user's home directory with the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -# ls -lLR /<home directory>/<users home directory>/ --rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 --rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 - -If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: - -# grep smithj /etc/group -sa:x:100:juan,shelley,bob,smithj -smithj:x:521:smithj - -If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020680The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.<VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72027SV-86651CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. - -# chmod 0750 /home/smithj/<file>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750". - -Check the mode of all non-initialization files in a local interactive user home directory with the following command: - -Files that begin with a "." are excluded from this requirement. - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -# ls -lLR /home/smithj --rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1 --rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3 - -If any files are found with a mode more permissive than "0750", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020690The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72029SV-86653CCI-000366Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - - # chown smithj /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are owned by that user. - -Check the home directory assignment for all nonprivileged users on the system with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - - # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd - - smithj 1000 /home/smithj - -Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. - -Check the owner of all local interactive users' initialization files with the following command: - - # ls -al /home/smithj/.[^.]* | more - - -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history - -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout - -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile - -If all local interactive users' initialization files are not owned by that user or root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020700The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.<VulnDiscussion>Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72031SV-86655CCI-000366Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and has a primary group of users. - - # chgrp users /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID). - -Check the home directory assignment for all nonprivileged users on the system with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users". - - # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd - - smithj 1000 /home/smithj - - # grep 1000 /etc/group - - users:x:1000:smithj,jonesj,jacksons - -Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. - -Check the group owner of all local interactive users' initialization files with the following command: - - # ls -al /home/smithj/.[^.]* | more - - -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history - -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout - -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile - -If all local interactive users' initialization files are not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020710The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86657V-72033CCI-000366Set the mode of the local initialization files to "0740" with the following command: - -Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". - - # chmod 0740 /home/smithj/.[^.]*Verify that all local initialization files have a mode of "0740" or less permissive. - -Check the mode on all local initialization files with the following command: - -Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". - - # ls -al /home/smithj/.[^.]* | more - - -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history - -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout - -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile - -If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. - -If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the user's home directory. - -Check the executable search path statement for all local interactive user initialization files in the user's home directory with the following commands: - -Note: The example will be for the smithj user, which has a home directory of "/home/smithj". - -# grep -i path= /home/smithj/.* -/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin - -If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020730The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86661V-72037CCI-000366Set the mode on files being executed by the local initialization files with the following command: - -# chmod 0755 <file>Verify that local initialization files do not execute world-writable programs. - -Check the system for world-writable files with the following command: - -# find / -xdev -perm -002 -type f -exec ls -ld {} \; | more - -For all files listed, check for their presence in the local initialization files with the following commands: - -Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. - -# grep <file> /home/*/.* - -If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: - -# rpm -qf <filename> - -The package can be reinstalled from a yum repository using the command: - -# sudo yum reinstall <packagename> - -Alternatively, the package can be reinstalled from trusted media using the command: - -# sudo rpm -Uvh <packagename>Verify that all system device files are correctly labeled to prevent unauthorized modification. - -List all device files on the system that are incorrectly labeled with the following commands: - -Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system. - -#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" - -#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" - -Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding. - -If there is output from either of these commands, other than already noted, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021000The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86665V-72041CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.Verify file systems that contain user home directories are mounted with the "nosuid" option. - -Find the file system(s) that contain the user home directories with the following command: - -Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system. - -# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd -smithj 1001 /home/smithj -thomasr 1002 /home/thomasr - -Check the file systems that are mounted at boot time with the following command: - -# more /etc/fstab - -UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 - -If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021010The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86667V-72043CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.Verify file systems that are used for removable media are mounted with the "nosuid" option. - -Check the file systems that are mounted at boot time with the following command: - -# more /etc/fstab - -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 - -If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021020The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86669V-72045CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "nosuid" option. - -Find the file system(s) that contain the directories being exported with the following command: - -# more /etc/fstab | grep nfs - -UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 - -If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding. - -Verify the NFS is mounted with the "nosuid" option: - -# mount | grep nfs | grep nosuid -If no results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021021The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87813V-73161CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "noexec" option. - -Find the file system(s) that contain the directories being imported with the following command: - -# more /etc/fstab | grep nfs - -UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 - -If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - -Verify the NFS is mounted with the "noexec"option: - -# mount | grep nfs | grep noexec -If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-07-021024The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95725V-81013CCI-001764Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line: - -tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm: - -# cat /etc/fstab | grep /dev/shm - -tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - -If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding. - -Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options: - -# mount | grep /dev/shm - -tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) - -If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: - -# find [PART] -xdev -type d -perm -0002 -gid +999 -print - -If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. - -If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". - -Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. - -Check all local interactive user initialization files for interactive users with the following command: - -Note: The example is for a system that is configured to create users home directories in the "/home" directory. - -$ sudo grep -ir ^umask /home | grep -v '.bash_history' - -If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021100The Red Hat Enterprise Linux operating system must have cron logging implemented.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72051SV-86675CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: - -cron.* /var/log/cron - -The rsyslog daemon must be restarted for the changes to take effect: -$ sudo systemctl restart rsyslog.serviceVerify that "rsyslog" is configured to log cron events. - -Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command: - -Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. - -# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf -cron.* /var/log/cron - -If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. - -Look for the following entry: - -*.* /var/log/messages - -If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021110The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.<VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72053SV-86677CCI-000366Set the owner on the "/etc/cron.allow" file to root with the following command: - -# chown root /etc/cron.allowVerify that the "cron.allow" file is owned by root. - -Check the owner of the "cron.allow" file with the following command: - -# ls -al /etc/cron.allow --rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow - -If the "cron.allow" file exists and has an owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021120The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.<VulnDiscussion>If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86679V-72055CCI-000366Set the group owner on the "/etc/cron.allow" file to root with the following command: - -# chgrp root /etc/cron.allowVerify that the "cron.allow" file is group-owned by root. - -Check the group owner of the "cron.allow" file with the following command: - -# ls -al /etc/cron.allow --rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow - -If the "cron.allow" file exists and has a group owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021300The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86681V-72057CCI-000366If kernel core dumps are not required, disable the "kdump" service with the following command: - -# systemctl disable kdump.service - -If kernel core dumps are required, document the need with the ISSO.Verify that kernel core dumps are disabled unless needed. - -Check the status of the "kdump" service with the following command: - -# systemctl status kdump.service -kdump.service - Crash recovery kernel arming - Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled) - Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago - Main PID: 1130 (code=exited, status=0/SUCCESS) -kernel arming. - -If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). - -If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021310The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86683V-72059CCI-000366Migrate the "/home" directory onto a separate file system/partition.Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. - -Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system with the following command: - -# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd - -adamsj 1000 /home/adamsj /bin/bash -jacksonm 1001 /home/jacksonm /bin/bash -smithj 1002 /home/smithj /bin/bash - -The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. - -Check that a file system/partition has been created for the non-privileged interactive users with the following command: - -Note: The partition of /home is used in the example. - -# grep /home /etc/fstab -UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 - -If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021320The Red Hat Enterprise Linux operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72061SV-86685CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var". - -Check that a file system/partition has been created for "/var" with the following command: - -# grep /var /etc/fstab -UUID=c274f65f /var ext4 noatime,nobarrier 1 2 - -If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021330The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86687V-72063CCI-000366Migrate the system audit data path onto a separate file system.Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system. - -# grep /var/log/audit /etc/fstab - -If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding. - -Verify that "/var/log/audit" is mounted on a separate file system: - -# mount | grep "/var/log/audit" - -If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021340The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86689V-72065CCI-000366Start the "tmp.mount" service with the following command: - -# systemctl enable tmp.mount - -OR - -Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.Verify that a separate file system/partition has been created for "/tmp". - -Check that a file system/partition has been created for "/tmp" with the following command: - -# systemctl is-enabled tmp.mount -enabled - -If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point: - -# grep -i /tmp /etc/fstab -UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0 - -If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-000068CCI-001199CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. - -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. - -Configure the operating system to implement DoD-approved encryption by following the steps below: - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. - -Install the dracut-fips package with the following command: - -# yum install dracut-fips - -Recreate the "initramfs" file with the following command: - -Note: This command will overwrite the existing "initramfs" file. - -# dracut -f - -Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: - -fips=1 - -Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: - -On BIOS-based machines, use the following command: - -# grub2-mkconfig -o /boot/grub2/grub.cfg - -On UEFI-based machines, use the following command: - -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg - -If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: - -# df /boot -Filesystem 1K-blocks Used Available Use% Mounted on -/dev/sda1 495844 53780 416464 12% /boot - -To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: - -# blkid /dev/sda1 -/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" - -For the example above, append the following string to the kernel command line: - -boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 - -If the file /etc/system-fips does not exists, recreate it: - -# touch /etc/ system-fips - -Reboot the system for the changes to take effect.Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. - -Check to see if the "dracut-fips" package is installed with the following command: - -# yum list installed dracut-fips - -dracut-fips-033-360.el7_2.x86_64.rpm - -If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: - -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. - -# grep fips /boot/grub2/grub.cfg -/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet - -If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: - -# cat /proc/sys/crypto/fips_enabled -1 - -If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. - -Verify the file /etc/system-fips exists. - -# ls -l /etc/system-fips - -If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. - -If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - - # find / -name aide.conf - -Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "acl" rule is below: - - All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin - -If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. - -If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - # find / -name aide.conf - -Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "xattrs" rule follows: - - All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin - -If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. - -Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. - -If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - - # find / -name aide.conf - -Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications. - -An example rule that includes the "sha512" rule follows: - - All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin - -If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. - -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. - -Check for the existence of alternate boot loader configuration files with the following command: - - # find / -name grub.cfg - /boot/efi/EFI/redhat/grub.cfg - -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. - -List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems): - - # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg - 4 - -Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored): - - # grep 'set root' /boot/efi/EFI/redhat/grub.cfg - set root='hd0,gpt2' - set root='hd0,gpt2' - set root='hd0,gpt2' - set root='hd0,gpt2' - -If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-021710The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72077SV-86701CCI-000381Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: - -# yum remove telnet-serverVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - -Check to see if the telnet-server package is installed with the following command: - -# yum list installed telnet-server - -If the telnet-server package is installed, this is a finding.SRG-OS-000038-GPOS-00016<GroupDescription></GroupDescription>RHEL-07-030000The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.<VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - -Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86703V-72079CCI-000126CCI-000131Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. - -Enable the auditd service with the following command: - -# systemctl start auditd.serviceVerify the operating system produces audit records containing information to establish when (date and time) the events occurred. - -Check to see if auditing is active by issuing the following command: - -# systemctl is-active auditd.service -active - -If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>RHEL-07-030010The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72081SV-86705CCI-000139Configure the operating system to shut down in the event of an audit processing failure. - -Add or correct the option to shut down the operating system with the following command: - - # auditctl -f 2 - -Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: - - -f 2 - -If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: - - # auditctl -f 1 - -Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: - - -f 1 - -Kernel log monitoring must also be configured to properly alert designated staff. - -The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. - -Check to see what level "auditctl" is set to with following command: - - # auditctl -s | grep -i "fail" - failure 2 - -Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert. - -If the "failure" setting is set to any value other than "1" or "2", this is a finding. - -If the "failure" setting is not set, this should be upgraded to a CAT I finding. - -If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030201The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95729V-81017CCI-001851Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: - -active = yes -direction = out -path = /sbin/audisp-remote -type = always - -The audit daemon must be restarted for changes to take effect: - -# service auditd restartVerify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon: - -# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#" - -active = yes -direction = out -path = /sbin/audisp-remote -type = always -format = string - -If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. - -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030210The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When the remote buffer is full, audit logs will not be collected and sent to the central log server. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-81019SV-95731CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option: - -overflow_action = syslog - -The audit daemon must be restarted for changes to take effect: - -# service auditd restartVerify the audisp daemon is configured to take an appropriate action when the internal queue is full: - -# grep "overflow_action" /etc/audisp/audispd.conf - -overflow_action = syslog - -If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full. - -If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030211The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95733V-81021CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option: - -name_format = hostname - -The audit daemon must be restarted for changes to take effect: - -# service auditd restartVerify the audisp daemon is configured to label all off-loaded audit logs: - -# grep "name_format" /etc/audisp/audispd.conf - -name_format = hostname - -If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately. - -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030300The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72083SV-86707CCI-001851Configure the operating system to off-load audit records onto a different system or media from the system being audited. - -Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.Verify the operating system off-loads audit records onto a different system or media from the system being audited. - -To determine the remote server that the records are being sent to, use the following command: - -# grep -i remote_server /etc/audisp/audisp-remote.conf -remote_server = 10.0.21.1 - -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. - -If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72085SV-86709CCI-001851Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. - -Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line: - -enable_krb5 = yesVerify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. - -To determine if the transfer is encrypted, use the following command: - -# grep -i enable_krb5 /etc/audisp/audisp-remote.conf -enable_krb5 = yes - -If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. - -If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. - -Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: - -disk_full_action = singleVerify the action the operating system takes if the disk the audit records are written to becomes full. - -To determine the action that takes place if the disk is full on the remote server, use the following command: - -# grep -i disk_full_action /etc/audisp/audisp-remote.conf -disk_full_action = single - -If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server. - -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030321The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73163SV-87815CCI-001851Configure the action the operating system takes if there is an error sending audit records to a remote system. - -Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". - -network_failure_action = syslogVerify the action the operating system takes if there is an error sending audit records to a remote system. - -Check the action that takes place if there is an error sending audit records to a remote system with the following command: - -# grep -i network_failure_action /etc/audisp/audisp-remote.conf -network_failure_action = syslog - -If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system. - -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size. -space_left = 25% -Reload the auditd daemon to apply changes made to the "/etc/audit/auditd.conf" file.Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Check the system configuration to determine the partition the audit records are being written to with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: - -$ sudo grep -iw space_left /etc/audit/auditd.conf -space_left = 25% - -If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". - -space_left_action = emailVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: - -# grep -i space_left_action /etc/audit/auditd.conf -space_left_action = email - -If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. - -action_mail_acct = rootVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - -Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command: - -# grep -i action_mail_acct /etc/audit/auditd.conf -action_mail_acct = root - -If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>RHEL-07-030360The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72095SV-86719CCI-002234Configure the operating system to audit the execution of privileged functions. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - -The audit daemon must be restarted for the changes to take effect.Verify the operating system audits the execution of privileged functions using the following command: - -# grep -iw execve /etc/audit/audit.rules - --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - - -If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. - -If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" syscalls. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep chown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -# grep chmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep xattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep 'open\|truncate\|creat' /etc/audit/audit.rules - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86759V-72135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/semanage" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030570The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72137SV-86761CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/setsebool" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030580The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72139SV-86763CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/bin/chcon" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030590The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72141SV-86765CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/setfiles" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030610The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/run/faillock -p wa -k logins - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following commands: - -# grep -i /var/run/faillock /etc/audit/audit.rules - --w /var/run/faillock -p wa -k logins - -If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030620The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/log/lastlog -p wa -k logins - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -i /var/log/lastlog /etc/audit/audit.rules - --w /var/log/lastlog -p wa -k logins - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/bin/passwd" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030640The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86775V-72151CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/unix_chkpwd" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030650The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/bin/gpasswd" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030660The Red Hat Enterprise Linux operating system must audit all uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86779V-72155CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/bin/chage" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030670The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/userhelper" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030680The Red Hat Enterprise Linux operating system must audit all uses of the su command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030690The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030700The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72163SV-86787CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/sudoers -p wa -k privileged-actions - --w /etc/sudoers.d/ -p wa -k privileged-actions - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. - -Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": - -# grep -i "/etc/sudoers" /etc/audit/audit.rules - --w /etc/sudoers -p wa -k privileged-actions - -# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules - --w /etc/sudoers.d/ -p wa -k privileged-actions - -If the commands do not return output that match the examples, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030710The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030720The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030740The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72171SV-86795CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "mount" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. - -If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030750The Red Hat Enterprise Linux operating system must audit all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. - -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030770The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030780The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - -If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030800The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. - -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - -If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - -If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78999SV-93705CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "create_module" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - -If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - --a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -$ sudo grep init_module /etc/audit/audit.rules - --a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - --a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - -If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -$ sudo grep -w "delete_module" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - -If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -$ sudo grep "/usr/bin/kmod" /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - -If the command does not return any output, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030870The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86821V-72197CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". - -Add or update the following rule "/etc/audit/rules.d/audit.rules": - --w /etc/passwd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/passwd /etc/audit/audit.rules - --w /etc/passwd -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030871The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87817V-73165CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/group -p wa -k identity - -The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/group /etc/audit/audit.rules - --w /etc/group -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030872The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87819V-73167CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/gshadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/gshadow /etc/audit/audit.rules - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030873The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87823V-73171CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/shadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/shadow /etc/audit/audit.rules - --w /etc/shadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030874The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87825V-73173CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/security/opasswd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect: -# systemctl restart auditdVerify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/security/opasswd /etc/audit/audit.rules - --w /etc/security/opasswd -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep 'unlink\|rename\|rmdir' /etc/audit/audit.rules - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation server: - -For UDP: - *.* @[logaggregationserver.example.mil]:[port] - -For TCP: - *.* @@[logaggregationserver.example.mil]:[port]Verify "rsyslog" is configured to send all messages to a log aggregation server. - -Check the configuration of "rsyslog" with the following command: - -Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf". - - # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf - - *.* @@[logaggregationserver.example.mil]:[port] - -If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the system administrator to indicate how the audit logs are offloaded to a different system or media. - -If the lines are commented out or there is no evidence that the audit logs are being sent to another log aggregation server, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. - -If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86835V-72211CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. - -Check the configuration of "rsyslog" with the following command: - -# grep imtcp /etc/rsyslog.conf -$ModLoad imtcp -# grep imudp /etc/rsyslog.conf -$ModLoad imudp -# grep imrelp /etc/rsyslog.conf -$ModLoad imrelp - -If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation. - -If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>RHEL-07-040000The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72217SV-86841CCI-000054Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. - -Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : - -* hard maxlogins 10Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command: - -# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf - -* hard maxlogins 10 - -This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. - -If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>RHEL-07-040100The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. - -Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72219SV-86843CCI-000382CCI-002314Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. - -Check which services are currently active with the following command: - -# firewall-cmd --list-all -public (default, active) - interfaces: enp0s3 - sources: - services: dhcpv6-client dns http https ldaps rpc-bind ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - -Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. - -If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - -The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72221SV-86845CCI-000068CCI-000366CCI-000803Configure SSH to use FIPS 140-2 approved cryptographic algorithms. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -The SSH service must be restarted for changes to take effect.Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - -The location of the "sshd_config" file may vary if a different daemon is in use. - -Inspect the "Ciphers" configuration with the following command: - -# grep -i ciphers /etc/ssh/sshd_config -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86847V-72223CCI-001133CCI-002361Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. - -Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: - -#!/bin/bash - -declare -xr TMOUT=900Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. - -Check the value of the system inactivity timeout with the following command: - -$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d - -etc/profile.d/tmout.sh:declare -xr TMOUT=900 - -If conflicting results are returned, this is a finding. -If "TMOUT" is not set to "900" or less to enforce session termination after inactivity, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-040170The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72225SV-86849CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. - -Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: - -banner /etc/issue - -Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -The SSH service must be restarted for changes to take effect.Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Check for the location of the banner file being used with the following command: - -# grep -i banner /etc/ssh/sshd_config - -banner /etc/issue - -This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). - -If the line is commented out, this is a finding. - -View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - -If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040180The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72227SV-86851CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. - -Add or modify the following line in "/etc/sssd/sssd.conf": - - ldap_id_use_start_tls = trueIf LDAP is not being utilized, this requirement is Not Applicable. - -Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions. - -To determine if LDAP is being used for authentication, use the following command: - - # systemctl status sssd.service - sssd.service - System Security Services Daemon - Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) - Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago - -If the "sssd.service" is "active", then LDAP is being used. - -Determine the "id_provider" the LDAP is currently using: - - # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - id_provider = ad - -If "id_provider" is set to "ad", this is Not Applicable. - -Ensure that LDAP is configured to use TLS by using the following command: - - # grep -ir start_tls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - ldap_id_use_start_tls = true - -If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040190The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72229SV-86853CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. - -Add or modify the following line in "/etc/sssd/sssd.conf": - - ldap_tls_reqcert = demandIf LDAP is not being utilized, this requirement is Not Applicable. - -Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. - -To determine if LDAP is being used for authentication, use the following command: - - # systemctl status sssd.service - sssd.service - System Security Services Daemon - Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) - Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago - -If the "sssd.service" is "active", then LDAP is being used. - -Determine the "id_provider" the LDAP is currently using: - - # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - id_provider = ad - -If "id_provider" is set to "ad", this is Not Applicable. - -Verify the sssd service is configured to require the use of certificates: - - # grep -ir tls_reqcert /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - ldap_tls_reqcert = demand - -If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding. - -If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040200The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86855V-72231CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. - -Add or modify the following line in "/etc/sssd/sssd.conf": - - ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crtIf LDAP is not being utilized, this requirement is Not Applicable. - -Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. - -To determine if LDAP is being used for authentication, use the following command: - - # systemctl status sssd.service - sssd.service - System Security Services Daemon - Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) - Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago - -If the "sssd.service" is "active", then LDAP is being used. - -Determine the "id_provider" that the LDAP is currently using: - - # grep -ir id_provider /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - id_provider = ad - -If "id_provider" is set to "ad", this is Not Applicable. - -Check the path to the X.509 certificate for peer authentication with the following command: - - # grep -ir tls_cacert /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt - -Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate. - -If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040201The Red Hat Enterprise Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92521V-77825CCI-000366Configure the operating system implement virtual address space randomization. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - kernel.randomize_va_space = 2 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the operating system implements virtual address space randomization. - - # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - kernel.randomize_va_space = 2 - -If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of "2", this is a finding. - -Check that the operating system implements virtual address space randomization with the following command: - - # /sbin/sysctl -a | grep kernel.randomize_va_space - kernel.randomize_va_space = 2 - -If "kernel.randomize_va_space" does not have a value of "2", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86857V-72233CCI-002418CCI-002420CCI-002421CCI-002422Install SSH packages onto the host with the following commands: - -# yum install openssh-server.x86_64Check to see if sshd is installed with the following command: - -# yum list installed \*ssh\* -libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 -openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1 -openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1 - -If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86859V-72235CCI-002418CCI-002420CCI-002421CCI-002422Configure the SSH service to automatically start after reboot with the following command: - -# systemctl enable sshd.serviceVerify SSH is loaded and active with the following command: - -# systemctl status sshd -sshd.service - OpenSSH server daemon -Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) -Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago -Main PID: 1348 (sshd) -CGroup: /system.slice/sshd.service -1053 /usr/sbin/sshd -D - -If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040320The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72237SV-86861CCI-001133CCI-002361Note: This setting must be applied in conjunction with RHEL-07-040340 to function correctly. - -Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - - ClientAliveInterval 600 - -The SSH service must be restarted for changes to take effect.Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes. - -Check for the value of the "ClientAliveInterval" keyword with the following command: - - # grep -iw clientaliveinterval /etc/ssh/sshd_config - - ClientAliveInterval 600 - -If "ClientAliveInterval" is not configured, is commented out, or has a value of "0", this is a finding. - -If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040330The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72239SV-86863CCI-000366Configure the SSH daemon to not allow authentication using RSA rhosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": - -RhostsRSAAuthentication no - -The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command: - -# cat /etc/redhat-release - -If the release is 7.4 or newer this requirement is Not Applicable. - -Verify the SSH daemon does not allow authentication using RSA rhosts authentication. - -To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command: - -# grep RhostsRSAAuthentication /etc/ssh/sshd_config -RhostsRSAAuthentication no - -If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040340The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86865V-72241CCI-001133CCI-002361Note: This setting must be applied in conjunction with RHEL-07-040320 to function correctly. - -Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - - ClientAliveCountMax 0 - -The SSH service must be restarted for changes to take effect.Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive. - -Check for the value of the "ClientAliveCountMax" keyword with the following command: - - # grep -i clientalivecount /etc/ssh/sshd_config - ClientAliveCountMax 0 - -If "ClientAliveCountMax" is not set to "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040350The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72243SV-86867CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreRhosts yesVerify the SSH daemon does not allow authentication using known hosts authentication. - -To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: - -# grep -i IgnoreRhosts /etc/ssh/sshd_config - -IgnoreRhosts yes - -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040360The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72245SV-86869CCI-000052Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: - -PrintLastLog yes - -The SSH service must be restarted for changes to "sshd_config" to take effect.Verify SSH provides users with feedback on when account accesses last occurred. - -Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command: - -# grep -i printlastlog /etc/ssh/sshd_config -PrintLastLog yes - -If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040370The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.<VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72247SV-86871CCI-000366Configure SSH to stop users from logging on remotely as the root user. - -Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -PermitRootLogin no - -The SSH service must be restarted for changes to take effect.Verify remote access using SSH prevents users from logging on directly as root. - -Check that SSH prevents users from logging on directly as root with the following command: - -# grep -i permitrootlogin /etc/ssh/sshd_config -PermitRootLogin no - -If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040380The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72249SV-86873CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreUserKnownHosts yes - -The SSH service must be restarted for changes to take effect.Verify the SSH daemon does not allow authentication using known hosts authentication. - -To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command: - -# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config - -IgnoreUserKnownHosts yes - -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. - -Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86875V-72251CCI-000197CCI-000366Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: - -Protocol 2 - -The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command: - -# cat /etc/redhat-release - -If the release is 7.4 or newer this requirement is Not Applicable. - -Verify the SSH daemon is configured to only use the SSHv2 protocol. - -Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command: - -# grep -i protocol /etc/ssh/sshd_config -Protocol 2 -#Protocol 1,2 - -If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -MACs hmac-sha2-512,hmac-sha2-256 - -The SSH service must be restarted for changes to take effect.Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. - -Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. - -Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command: - -# grep -i macs /etc/ssh/sshd_config -MACs hmac-sha2-512,hmac-sha2-256 - -If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. - -Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: - -# chmod 0644 /etc/ssh/*.key.pubVerify the SSH public host key files have mode "0644" or less permissive. - -Note: SSH public key files may be found in other directories on the system depending on the installation. - -The following command will find all SSH public key files on the system: - -# find /etc/ssh -name '*.pub' -exec ls -lL {} \; - --rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub --rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub --rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub - -If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040420The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72257SV-86881CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: - -# chmod 0640 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode "0640" or less permissive. - -The following command will find all SSH private key files on the system and list their modes: - - # find / -name '*ssh_host*key' | xargs ls -lL - - -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key - -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key - -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key - -If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -GSSAPIAuthentication no - -The SSH service must be restarted for changes to take effect. - -If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit GSSAPI authentication unless approved. - -Check that the SSH daemon does not permit GSSAPI authentication with the following command: - -# grep -i gssapiauth /etc/ssh/sshd_config -GSSAPIAuthentication no - -If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040440The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72261SV-86885CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -KerberosAuthentication no - -The SSH service must be restarted for changes to take effect. - -If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. - -Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command: - -# grep -i kerberosauth /etc/ssh/sshd_config -KerberosAuthentication no - -If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040450The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86887V-72263CCI-000366Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": - -StrictModes yes - -The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs strict mode checking of home directory configuration files. - -The location of the "sshd_config" file may vary if a different daemon is in use. - -Inspect the "sshd_config" file with the following command: - -# grep -i strictmodes /etc/ssh/sshd_config - -StrictModes yes - -If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040460The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.<VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86889V-72265CCI-000366Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes": - -UsePrivilegeSeparation sandbox - -The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs privilege separation. - -Check that the SSH daemon performs privilege separation with the following command: - -# grep -i usepriv /etc/ssh/sshd_config - -UsePrivilegeSeparation sandbox - -If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040470The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86891V-72267CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": - - Compression no - -The SSH service must be restarted for changes to take effect.Note: For RHEL 7.4 and above, this requirement is not applicable. - -Verify the SSH daemon performs compression after a user successfully authenticates. - -Check that the SSH daemon performs compression after a user successfully authenticates with the following command: - - # grep -i compression /etc/ssh/sshd_config - Compression delayed - -If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. - -Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. - -Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). - -Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "16" as follows: - -server 0.rhel.pool.ntp.org iburst maxpoll 16 - -If NTP was running and "maxpoll" was updated, the NTP service must be restarted: - -# systemctl restart ntpd - -If NTP was not running, it must be started: - -# systemctl start ntpd - -If "chronyd" was running and "maxpoll" was updated, the service must be restarted: - -# systemctl restart chronyd.service - -If "chronyd" was not running, it must be started: - -# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: - -# ps -ef | grep ntp - -If NTP is not running, check to see if "chronyd" is running in continuous mode: - -# ps -ef | grep chronyd - -If NTP or "chronyd" is not running, this is a finding. - -If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" option setting: - -# grep maxpoll /etc/ntp.conf - -server 0.rhel.pool.ntp.org iburst maxpoll 16 - -If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. - -If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command. - -# grep -i "ntpd -q" /etc/cron.daily/* -# ls -al /etc/cron.* | grep ntp - -ntp - -If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpd -q" command, this is a finding. - -If the "chronyd" process is found, then check the "chrony.conf" file for the "maxpoll" option setting: - -# grep maxpoll /etc/chrony.conf - -server 0.rhel.pool.ntp.org iburst maxpoll 16 - -If the option is not set or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040520The Red Hat Enterprise Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. - -Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86897V-72273CCI-000366Ensure the operating system's application firewall is enabled. - -Install the "firewalld" package, if it is not on the system, with the following command: - -# yum install firewalld - -Start the firewall via "systemctl" with the following command: - -# systemctl start firewalldVerify the operating system enabled an application firewall. - -Check to see if "firewalld" is installed with the following command: - -# yum list installed firewalld -firewalld-0.3.9-11.el7.noarch.rpm - -If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. - -If an application firewall is not installed, this is a finding. - -Check to see if the firewall is loaded and active with the following command: - -# systemctl status firewalld -firewalld.service - firewalld - dynamic firewall daemon - - Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) - Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago - -If "firewalld" does not show a status of "loaded" and "active", this is a finding. - -Check the state of the firewall: - -# firewall-cmd --state -running - -If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". - -Add the following line to the top of "/etc/pam.d/postlogin": - -session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred. - -Check that "pam_lastlog" is used and not silent with the following command: - -# grep pam_lastlog /etc/pam.d/postlogin -session required pam_lastlog.so showfailed - -If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040540The Red Hat Enterprise Linux operating system must not contain .shosts files.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86901V-72277CCI-000366Remove any found ".shosts" files from the system. - -# rm /[path]/[to]/[file]/.shostsVerify there are no ".shosts" files on the system. - -Check the system for the existence of these files with the following command: - -# find / -name '*.shosts' - -If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040550The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86903V-72279CCI-000366Remove any found "shosts.equiv" files from the system. - -# rm /[path]/[to]/[file]/shosts.equivVerify there are no "shosts.equiv" files on the system. - -Check the system for the existence of these files with the following command: - -# find / -name shosts.equiv - -If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040600For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86905V-72281CCI-000366Configure the operating system to use two or more name servers for DNS resolution. - -Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: - -# echo -n > /etc/resolv.conf - -And then make the file immutable with the following command: - -# chattr +i /etc/resolv.conf - -If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.Determine whether the system is using local or DNS name resolution with the following command: - -# grep hosts /etc/nsswitch.conf -hosts: files dns - -If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. - -Verify the "/etc/resolv.conf" file is empty with the following command: - -# ls -al /etc/resolv.conf --rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf - -If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding. - -If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution. - -Determine the name servers used by the system with the following command: - -# grep nameserver /etc/resolv.conf -nameserver 192.168.1.2 -nameserver 192.168.1.3 - -If less than two lines are returned that are not commented out, this is a finding. - -Verify that the "/etc/resolv.conf" file is immutable with the following command: - -# sudo lsattr /etc/resolv.conf - -----i----------- /etc/resolv.conf - -If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl -systemVerify the system does not accept IPv4 source-routed packets. - - # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv4.conf.all.accept_source_route = 0 - -If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. - -Check that the operating system implements the accept source route variable with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route - net.ipv4.conf.all.accept_source_route = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.rp_filter = 1 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system uses a reverse-path filter for IPv4: - - # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv4.conf.all.rp_filter = 1 - -If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. - -Check that the operating system implements the accept source route variable with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter - net.ipv4.conf.all.rp_filter = 1 - -If the returned line does not have a value of "1", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.rp_filter = 1 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system uses a reverse-path filter for IPv4: - - # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv4.conf.default.rp_filter = 1 - -If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. - -Check that the operating system implements the accept source route variable with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter - net.ipv4.conf.default.rp_filter = 1 - -If the returned line does not have a value of "1", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. - - # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv4.conf.default.accept_source_route = 0 - -If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. - -Check that the operating system implements the accept source route variable with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route - net.ipv4.conf.default.accept_source_route = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040630The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72287SV-86911CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.icmp_echo_ignore_broadcasts = 1 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. - - # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - -If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. - -Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command: - - # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts - net.ipv4.icmp_echo_ignore_broadcasts = 1 - -If the returned line does not have a value of "1", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.accept_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. - - # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - -If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. - -Check that the operating system implements the value of the "accept_redirects" variables with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_redirects = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.accept_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. - - # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - -If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. - -Check that the operating system implements the "accept_redirects" variables with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects - net.ipv4.conf.all.accept_redirects = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.send_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. - - # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - -If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. - -Check that the operating system implements the "default send_redirects" variables with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects - net.ipv4.conf.default.send_redirects = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.send_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. - - # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - -If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. - -Check that the operating system implements the "all send_redirects" variables with the following command: - - # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects - net.ipv4.conf.all.send_redirects = 0 - -If the returned line does not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040670Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. - -If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72295SV-86919CCI-000366Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. - -Set the promiscuous mode of an interface to off with the following command: - -#ip link set dev <devicename> multicast off promisc offVerify network interfaces are not in promiscuous mode unless approved by the ISSO and documented. - -Check for the status with the following command: - -# ip link | grep -i promisc - -If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040680The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86921V-72297CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: - -# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. - -Determine if "postfix" is installed with the following commands: - -# yum list installed postfix -postfix-2.6.6-6.el7.x86_64.rpm - -If postfix is not installed, this is Not Applicable. - -If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command: - -# postconf -n smtpd_client_restrictions -smtpd_client_restrictions = permit_mynetworks, reject - -If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040690The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.<VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86923V-72299CCI-000366Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: - -# yum remove vsftpdVerify an FTP server has not been installed on the system. - -Check to see if an FTP server has been installed with the following commands: - -# yum list installed vsftpd - - vsftpd-3.0.2.el7.x86_64.rpm - -If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040700The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.<VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86925V-72301CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the TFTP package from the system with the following command: - -# yum remove tftp-serverVerify a TFTP server has not been installed on the system. - -Check to see if a TFTP server has been installed with the following command: - -# yum list installed tftp-server -tftp-server-0.49-9.el7.x86_64.rpm - -If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040710The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. -X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86927V-72303CCI-000366Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -X11Forwarding no - -The SSH service must be restarted for changes to take effect: - -# systemctl restart sshdDetermine if X11Forwarding is disabled with the following command: - -# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#" - -X11Forwarding no - -If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040720The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.<VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86929V-72305CCI-000366Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): - -server_args = -s /var/lib/tftpbootVerify the TFTP daemon is configured to operate in secure mode. - -Check to see if a TFTP server has been installed with the following commands: - -# yum list installed tftp-server -tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms - -If a TFTP server is not installed, this is Not Applicable. - -If a TFTP server is installed, check for the server arguments with the following command: - -# grep server_args /etc/xinetd.d/tftp -server_args = -s /var/lib/tftpboot - -If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040730The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86931V-72307CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: - -Open an SSH session and enter the following commands: - -$ sudo systemctl set-default multi-user.target - -$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils - -A reboot is required for the changes to take effect.Verify the system is configured to boot to the command line: - -$ systemctl get-default -multi-user.target - -If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. - -Verify a graphical user interface is not installed: - -$ rpm -qa | grep xorg | grep server - -Ask the System Administrator if use of a graphical user interface is an operational requirement. - -If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding. -SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040740The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86933V-72309CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.ip_forward = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. - - # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv4.ip_forward = 0 - -If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. - -Check that the operating system does not implement IP forwarding using the following command: - - # /sbin/sysctl -a | grep net.ipv4.ip_forward - net.ipv4.ip_forward = 0 - -If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. - -Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. - -To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command: - -# cat /etc/fstab | grep nfs -192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p - -If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040800SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.<VulnDiscussion>Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86937V-72313CCI-000366If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.Verify that a system using SNMP is not using default community strings. - -Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command: - -# ls -al /etc/snmp/snmpd.conf - -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf - -If the file does not exist, this is Not Applicable. - -If the file does exist, check for the default community strings with the following commands: - -# grep public /etc/snmp/snmpd.conf -# grep private /etc/snmp/snmpd.conf - -If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. - -If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. - -Verify the system's access control program is configured to grant or deny system access to specific hosts. - -Check to see if "firewalld" is active with the following command: - -# systemctl status firewalld -firewalld.service - firewalld - dynamic firewall daemon -Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) -Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago - -If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands: - -# firewall-cmd --get-default-zone -public - -# firewall-cmd --list-all --zone=public -public (active) -target: default -icmp-block-inversion: no -interfaces: eth0 -sources: -services: mdns ssh -ports: -protocols: -masquerade: no -forward-ports: -icmp-blocks: - -If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands: - -# ls -al /etc/hosts.allow -rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow - -# ls -al /etc/hosts.deny --rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny - -If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services. - -If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040820The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.<VulnDiscussion>IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72317SV-86941CCI-000366Remove all unapproved tunnels from the system, or document them with the ISSO.Verify the system does not have unauthorized IP tunnels configured. - -Check to see if "libreswan" is installed with the following command: - -# yum list installed libreswan -libreswan.x86-64 3.20-5.el7_4 - -If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: - -# systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec -Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) -Active: inactive (dead) - -If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands: - -# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf - -If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. - -If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv6.conf.all.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. - -Verify the system does not accept IPv6 source-routed packets. - - # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - net.ipv6.conf.all.accept_source_route = 0 - -If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. - -Check that the operating system implements the accept source route variable with the following command: - - # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route - net.ipv6.conf.all.accept_source_route = 0 - -If the returned lines do not have a value of "0", this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041001The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87041V-72417CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication by installing the required packages. - -Install the pam_pkcs11 package with the following command: - -# yum install pam_pkcs11Verify the operating system has the packages required for multifactor authentication installed. - -Check for the presence of the packages required to support multifactor authentication with the following commands: - -# yum list installed pam_pkcs11 -pam_pkcs11-0.6.2-14.el7.noarch.rpm - -If the "pam_pkcs11" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041002The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72427SV-87051CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). - -Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). - -Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command: - -# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf - -services = nss, pam - -If the "pam" service is not present on all "services" lines, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041003The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72433SV-87057CCI-001948CCI-001953CCI-001954Configure the operating system to do certificate status checking for PKI authentication. - -Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".Verify the operating system implements certificate status checking for PKI authentication. - -Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command: - -# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v "^#" - -cert_policy = ca, ocsp_on, signature; -cert_policy = ca, ocsp_on, signature; -cert_policy = ca, ocsp_on, signature; - -There should be at least three lines returned. - -If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: - -#nmcli radio wifi offVerify that there are no wireless interfaces configured on the system. - -This is N/A for systems that do not have wireless network adapters. - -Check for the presence of active wireless interfaces with the following command: - -# nmcli device -DEVICE TYPE STATE -eth0 ethernet connected -wlp3s0 wifi disconnected -lo loopback unmanaged - -If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010020The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.<VulnDiscussion>Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86479V-71855CCI-001749Run the following command to determine which package owns the file: - -# rpm -qf <filename> - -The package can be reinstalled from a yum repository using the command: - -# sudo yum reinstall <packagename> - -Alternatively, the package can be reinstalled from trusted media using the command: - -# sudo rpm -Uvh <packagename>Verify the cryptographic hash of system files and commands match the vendor values. - -Check the cryptographic hash of system files and commands with the following command: - -Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log. - -# rpm -Va --noconfig | grep '^..5' - -If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest Trellix ENSLTP package.Check that the following package has been installed: - - # rpm -qa | grep -i mcafeetp - -If the "mcafeetp" package is not installed, this is a finding. - -Verify that the daemon is running: - - # ps -ef | grep -i mfetpd - -If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. - -The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. - -If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72213SV-86837CCI-001668CCI-000366Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. - -If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010062The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver lock-enabled setting: - - /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: - # grep system-db /etc/dconf/profile/user - system-db:local - -Check for the lock-enabled setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - - # grep -i lock-enabled /etc/dconf/db/local.d/locks/* - /org/gnome/desktop/screensaver/lock-enabled - -If the command does not return a result, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-000366CCI-000778CCI-001958Configure the graphical user interface to disable the ability to automount devices. - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - -Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: - -[org/gnome/desktop/media-handling] - -automount=false - -automount-open=false - -autorun-never=true - -Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following: -/org/gnome/desktop/media-handling/automount - -/org/gnome/desktop/media-handling/automount-open - -/org/gnome/desktop/media-handling/autorun-never - -Run the following command to update the database: - -# dconf updateNote: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. - -Verify the operating system disables the ability to automount devices in a graphical user interface. - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - -Check to see if automounter service is disabled with the following commands: -# cat /etc/dconf/db/local.d/00-No-Automount - -[org/gnome/desktop/media-handling] - -automount=false - -automount-open=false - -autorun-never=true - -If the output does not match the example above, this is a finding. - -# cat /etc/dconf/db/local.d/locks/00-No-Automount - -/org/gnome/desktop/media-handling/automount - -/org/gnome/desktop/media-handling/automount-open - -/org/gnome/desktop/media-handling/autorun-never - -If the output does not match the example, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021031The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: - -# find [PART] -xdev -type d -perm -0002 -uid +999 -print - -If there is output, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-07-910055The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. - -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: - -# chmod 0600 [audit_file] - -Change the owner and group owner of the audit log files with the following command: - -# chown root:root [audit_file]Verify the operating system audit records have proper permissions and ownership. - -List the full permissions and ownership of the audit log files with the following command. - -# ls -la /var/log/audit -total 4512 -drwx------. 2 root root 23 Apr 25 16:53 . -drwxr-xr-x. 17 root root 4096 Aug 9 13:09 .. --rw-------. 1 root root 8675309 Aug 9 12:54 audit.log - -Audit logs must be mode 0600 or less permissive. -If any are more permissive, this is a finding. - -The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040711The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -X11UseLocalhost yesVerify the SSH daemon prevents remote hosts from connecting to the proxy display. - -Check the SSH X11UseLocalhost setting with the following command: - -# sudo grep -i x11uselocalhost /etc/ssh/sshd_config -X11UseLocalhost yes - -If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010341The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Remove the following entries from the sudoers file: -ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLVerify the "sudoers" file restricts sudo access to authorized personnel. -$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* - -If the either of the following entries are returned, this is a finding: -ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: - Defaults !targetpw - Defaults !rootpw - Defaults !runaspw - -Remove any configurations that conflict with the above from the following locations: - /etc/sudoers - /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. - - $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' - - /etc/sudoers:Defaults !targetpw - /etc/sudoers:Defaults !rootpw - /etc/sudoers:Defaults !runaspw - -If conflicting results are returned, this is a finding. -If "Defaults !targetpw" is not defined, this is a finding. -If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the "sudo" command to require re-authentication. -Edit the /etc/sudoers file: -$ sudo visudo - -Add or modify the following line: -Defaults timestamp_timeout=[value] -Note: The "[value]" must be a number that is greater than or equal to "0". - -Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. - -$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d -/etc/sudoers:Defaults timestamp_timeout=0 - -If conflicting results are returned, this is a finding. - -If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. - -Edit the /etc/grub.d/01_users file and add or modify the following lines: - -set superusers="[someuniquestringhere]" -export superusers -password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} - -Generate a new grub.cfg file with the following command: - -$ sudo grub2-mkconfig -o /boot/grub2/grub.cfgFor systems that use UEFI, this is Not Applicable. - -For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -Verify that a unique name is set as the "superusers" account: - -# grep -iw "superusers" /boot/grub2/grub.cfg - set superusers="[someuniquestringhere]" - export superusers - -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010492Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. - -Edit the /etc/grub.d/01_users file and add or modify the following lines: - -set superusers="[someuniquestringhere]" -export superusers -password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} - -Generate a new grub.cfg file with the following command: - -$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. - -For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -Verify that a unique name is set as the "superusers" account: - -$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg - set superusers="[someuniquestringhere]" - export superusers - -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020021The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to confine SELinux users to roles that conform to least privilege. - -Use the following command to map the "staff_u" SELinux user to the "staff_r" and "sysadm_r" roles: - - $ sudo semanage user -m staff_u -R staff_r -R sysadm_r - -Use the following command to map the "user_u" SELinux user to the "user_r" role: - - $ sudo semanage -m user_u -R user_rVerify the operating system confines SELinux users to roles that conform to least privilege. - -Check the SELinux User list to SELinux Roles mapping by using the following command: - - $ sudo semanage user -l - - Labeling MLS/ MLS/ - SELinux User Prefix MCS Level MCS Range SELinux Roles - - guest_u user s0 s0 guest_r - root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r - staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r - sysadm_u user s0 s0-s0:c0.c1023 sysadm_r - system_u user s0 s0-s0:c0.c1023 system_r unconfined_r - unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r - user_u user s0 s0 user_r - xguest_u user s0 s0 xguest_r - -If the output differs from the above example, ask the system administrator (SA) to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the information system security officer (ISSO) and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020022The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to prevent privileged accounts from utilizing SSH. -Use the following command to set the "ssh_sysadm_login" boolean to "off": - - $ sudo setsebool -P ssh_sysadm_login off - -Note: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to "on" with the following command: - - $ sudo setsebool -P ssh_sysadm_login on - -This must be documented with the ISSO as an operational requirement.Verify the operating system prevents privileged accounts from utilizing SSH. -Check the SELinux ssh_sysadm_login boolean with the following command: - - $ sudo getsebool ssh_sysadm_login - ssh_sysadm_login --> off - -If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. -Edit a file in the "/etc/sudoers.d" directory with the following command: - - $ sudo visudo -f /etc/sudoers.d/<customfile> - -Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: - - %{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL - -Remove any configurations that conflict with the above from the following locations: - - /etc/sudoers - /etc/sudoers.d/Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: - -This command must be ran as root: - - # grep -r sysadm_r /etc/sudoers /etc/sudoers.d - %{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL - -If conflicting results are returned, this is a finding. - -If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010291The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: - -Perform a password reset: -$ sudo passwd [username] -Lock an account: -$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command: - -$ sudo awk -F: '!$2 {print $1}' /etc/shadow - -If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. - -It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. - -Edit the /etc/sudoers file with the following command: - -$ sudo visudo - -Add or modify the following line: -#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. - -Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: - -$ sudo grep include /etc/sudoers - -#includedir /etc/sudoers.d - -If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. - -Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: - -$ sudo grep -r include /etc/sudoers.d - -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the operating system to require users to supply a password for privilege escalation. - -Check the configuration of the "/etc/ pam.d/sudo" file with the following command: -$ sudo vi /etc/pam.d/sudo - -Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation. - -Check the configuration of the "/etc/pam.d/sudo" file with the following command: - -$ sudo grep pam_succeed_if /etc/pam.d/sudo - -If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install AIDE, initialize it, and perform a manual check. - -Install AIDE: - $ sudo yum install aide - -Initialize it: - $ sudo /usr/sbin/aide --init - - AIDE, version 0.15.1 - ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. - -The new database will need to be renamed to be read by AIDE: - $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - -Perform a manual check: - $ sudo /usr/sbin/aide --check - - AIDE, version 0.15.1 - ### All files match AIDE database. Looks okay! - -Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. - -Check that the AIDE package is installed with the following command: - $ sudo rpm -q aide - - aide-0.15.1-13.el7.x86_64 - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform integrity checks, this is a finding. - -If AIDE is installed, check if it has been initialized with the following command: - $ sudo /usr/sbin/aide --check - -If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-07-010271The Red Hat Enterprise Linux operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. - -Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. - -The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command: - - $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours. - -For every existing temporary account, run the following command to obtain its account expiration information: - - $ sudo chage -l <temporary_account_name> | grep -i "account expires" - -Verify each of these accounts has an expiration date set within 72 hours. -If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040712The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": - - KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 - -Restart the "sshd" service for changes to take effect: - - $ sudo systemctl restart sshdVerify that the SSH server is configured to use only FIPS-validated key exchange algorithms: - - $ sudo grep -i kexalgorithms /etc/ssh/sshd_config - KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 - -If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010090The Red Hat Enterprise Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. - -Install the screen program (if it is not on the system) with the following command: - - # yum install screen - -OR - -Install the tmux program (if it is not on the system) with the following command: - - # yum install tmuxVerify the operating system has the screen package installed. - -Check to see if the screen package is installed with the following command: - - # yum list installed screen - screen-4.3.1-3-x86_64.rpm - -If the screen package is not installed, check to see if the tmux package is installed with the following command: - - # yum list installed tmux - tmux-1.8-4.el7.x86_64.rpm - -If either the screen package or the tmux package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-07-010375The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001090Configure the operating system to restrict access to the kernel message buffer. - -Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: - - kernel.dmesg_restrict = 1 - -Remove any configurations that conflict with the above from the following locations: - /run/sysctl.d/ - /etc/sysctl.d/ - /usr/local/lib/sysctl.d/ - /usr/lib/sysctl.d/ - /lib/sysctl.d/ - /etc/sysctl.conf - -Reload settings from all system configuration files with the following command: - - $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: - - $ sudo sysctl kernel.dmesg_restrict - kernel.dmesg_restrict = 1 - -If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. - -Check that the configuration files are present to enable this kernel parameter: - - $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null - /etc/sysctl.conf:kernel.dmesg_restrict = 1 - /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 - -If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010199The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.<VulnDiscussion>When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000196Create custom configuration files and their corresponding symbolic links: - -Rename the existing configuration files (skip this step if symbolic links are already present): - $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac - $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac - -Create custom system-auth configuration file: - $ sudo vi /etc/pam.d/system-auth-local - -The new file, at minimum, must contain the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth include system-auth-ac -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 - -account required pam_faillock.so -account include system-auth-ac - -password requisite pam_pwhistory.so remember=5 retry=3 -password requisite pam_pwquality.so retry=3 -password include system-auth-ac -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -session include system-auth-ac - -Create custom password-auth configuration file: - $ sudo vi /etc/pam.d/password-auth-local - -The new file, at minimum, must contain the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth include password-auth-ac -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 - -account required pam_faillock.so -account include password-auth-ac - -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 -password requisite pam_pwquality.so retry=3 -password include password-auth-ac -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -session include password-auth-ac - -Create new or move existing symbolic links to the new custom configuration files: - $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth - $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth - -Once finished, the following file structure should be present: - $ sudo ls -1 /etc/pam.d/{password,system}-auth* - - /etc/pam.d/password-auth - /etc/pam.d/password-auth-ac - /etc/pam.d/password-auth-local - /etc/pam.d/system-auth - /etc/pam.d/system-auth-ac - /etc/pam.d/system-auth-local - -Note: With this solution in place, any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": - $ sudo ls -l /etc/pam.d/{password,system}-auth - - lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local - lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local - -If system-auth and password-auth files are not symbolic links, this is a finding. - -If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-010019The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001749Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. - -Insert RHEL 7 installation disc or attach RHEL 7 installation image to the system. Mount the disc or image to make the contents accessible inside the system. - -Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system: - - $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/ - -Import Red Hat GPG keys from key file into system keyring: - - $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release - -Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values. - -Note: For Red Hat Enterprise Linux 7 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default. - -List Red Hat GPG keys installed on the system: - - $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat" - - gpg(Red Hat, Inc. (release key 2) <security@redhat.com>) - gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>) - -If Red Hat GPG keys "release key 2" and "auxiliary key" are not installed, this is a finding. - -List key fingerprints of installed Red Hat GPG keys: - - $ sudo gpg -q --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release - -If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding. - -Example output: - - pub 4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <security@redhat.com> - Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 - pub 1024D/2FA658E0 2006-12-01 Red Hat, Inc. (auxiliary key) <security@redhat.com> - Key fingerprint = 43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0 - -Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key. - -If key fingerprints do not match, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010063The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.<VulnDiscussion>Leaving the user list enabled is a security risk as it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the operating system to disable the login screen user list for graphical user interfaces. - -Create or edit the gdm profile in "/etc/dconf/profile/" to contain the following lines: - - $ sudo vi /etc/dconf/profile/gdm - - user-db:user - system-db:gdm - file-db:/usr/share/gdm/greeter-dconf-defaults - -Create or edit the gdm database for machine-wide settings in "/etc/dconf/db/gdm.d/" with the following lines: - - $ sudo vi /etc/dconf/db/gdm.d/00-login-screen - - [org/gnome/login-screen] - disable-user-list=true - -Update the system databases by updating the dconf utility: - - $ sudo dconf update - -If the login screen user list persists after updating the system databases, you can restart the GNOME Desktop without rebooting the system: - - $ sudo systemctl restart gdmVerify that the operating system is configured to disable the login screen user list for graphical user interfaces. - -Note: If the system does not have the GNOME Desktop installed, this requirement is Not Applicable. - -Verify that the login screen user list for the GNOME Desktop is disabled with the following command: - - $ sudo grep -is disable-user-list /etc/dconf/db/gdm.d/* - - /etc/dconf/db/gdm.d/00-login-screen:disable-user-list=true - -If the variable "disable-user-list" is not defined in a file under "/etc/dconf/db/gdm.d/", is not set to "true", is missing or commented out, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020028The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001744Install the "mailx" package on the system: - - $ sudo yum install mailxVerify that the operating system is configured to allow sending email notifications. - -Note: The "mailx" package provides the "mail" command that is used to send email messages. - -Verify that the "mailx" package is installed on the system: - - $ sudo yum list installed mailx - - mailx.x86_64 12.5-19.el7 @rhel-7-server-rpms - -If "mailx" package is not installed, this is a finding. \ No newline at end of file diff --git a/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml deleted file mode 100644 index 2417b581376..00000000000 --- a/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml +++ /dev/null @@ -1,15256 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - Red Hat Enterprise Linux 7 - oval:mil.disa.stig.rhel7os:def:1 - - - - - - accepted - Red Hat Enterprise Linux 7 STIG SCAP Benchmark - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. - - - - - DISA - STIG.DOD.MIL - - Release: 3.14 Benchmark Date: 24 Jan 2024 - 3.4.1.22916 - 1.10.0 - - 003.014 - - DISA - DISA - DISA - STIG.DOD.MIL - - - I - Mission Critical Classified - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I - Mission Critical Public - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I - Mission Critical Sensitive - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - II - Mission Support Classified - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - II - Mission Support Public - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - II - Mission Support Sensitive - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - III - Administrative Classified - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - III - Administrative Public - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - III - Administrative Sensitive - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CAT I Only - This profile only includes rules that are Severity Category I. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - remember - The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. - 5 - 0 - 4 - 5 - 10 - 24 - - - Account for auditd to send email when actions occurs - The setting for action_mail_acct in /etc/audit/auditd.conf - root - root - admin - - - Sensible umask - Enter default user umask - 077 - 007 - 022 - 027 - 077 - - - minimum password age - Minimum age of password in days - This will only apply to newly created accounts - 1 - 7 - 5 - 2 - 1 - 0 - - - maximum password age - Maximum age of password in days - This will only apply to newly created accounts - 60 - 60 - 90 - 120 - 180 - - - Maximum login attempts delay - Maximum time in seconds between fail login attempts before re-prompting. - 4 - 1 - 2 - 3 - 4 - 5 - - - net.ipv6.conf.all.accept_source_route - Trackers could be using source-routed packets to -generate traffic that seems to be intra-net, but actually was -created outside and has been redirected. - 0 - 1 - 0 - - - net.ipv4.icmp_echo_ignore_broadcasts - Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast - 1 - 1 - 0 - - - net.ipv4.conf.default.accept_source_route - Disable IP source routing? - 0 - 1 - 0 - - - net.ipv4.conf.default.accept_redirects - Disable ICMP Redirect Acceptance? - 0 - 1 - 0 - - - net.ipv4.conf.all.accept_source_route - Trackers could be using source-routed packets to -generate traffic that seems to be intra-net, but actually was -created outside and has been redirected. - 0 - 1 - 0 - - - net.ipv4.conf.all.accept_redirects - Disable ICMP Redirect Acceptance - 0 - 1 - 0 - - - SSH session Idle time - Specify duration of allowed idle time. - 600 - 300 - 600 - 900 - 3600 - 7200 - - - Inactivity timeout - Choose allowed duration of inactive SSH connections, shells, and X sessions - 900 - 300 - 600 - 900 - - - SRG-OS-000023-GPOS-00006 - <GroupDescription></GroupDescription> - - RHEL-07-010030 - The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. - <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-26970-4 - V-71859 - SV-86483 - CCI-000048 - Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/01-banner-message - -Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": - -[org/gnome/login-screen] -banner-message-enable=true - -Update the system databases: - -# dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - - - - - SRG-OS-000028-GPOS-00009 - <GroupDescription></GroupDescription> - - RHEL-07-010060 - The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80112-6 - SV-86515 - V-71891 - CCI-000056 - Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: - - # touch /etc/dconf/db/local.d/00-screensaver - -Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: - - # Set this to true to lock the screen when the screensaver activates - lock-enabled=true - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-010061 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. - <VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-77819 - SV-92515 - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - -# touch /etc/dconf/db/local.d/00-defaults - -Edit "[org/gnome/login-screen]" and add or update the following line: -enable-smartcard-authentication=true - -Update the system databases: -# dconf update - - - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010070 - The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80110-0 - V-71893 - SV-86517 - CCI-000057 - Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: - - [org/gnome/desktop/session] - # Set the lock time out to 900 seconds before the session is considered idle - idle-delay=uint32 900 - -You must include the "uint32" along with the integer key values as shown. - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010081 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80371-8 - V-73155 - SV-87807 - CCI-000057 - Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver lock delay: - - /org/gnome/desktop/screensaver/lock-delay - - - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010100 - The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80111-8 - V-71899 - SV-86523 - CCI-000057 - Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable screensaver locking after 15 minutes of inactivity: - - [org/gnome/desktop/screensaver] - - idle-activation-enabled=true - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010101 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-78997 - SV-93703 - CCI-000057 - Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - - # touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver idle-activation-enabled setting: - - /org/gnome/desktop/screensaver/idle-activation-enabled - - - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010110 - The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80370-0 - V-71901 - SV-86525 - CCI-000057 - Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - - # touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable session locking when a screensaver is activated: - - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - -The "uint32" must be included along with the integer key values as shown. - -Update the system databases: - - # dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - RHEL-07-010118 - The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords. - <VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-95715 - V-81003 - CCI-000192 - Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. - -Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value): - -password substack system-auth - - - - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - RHEL-07-010119 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-87811 - V-73159 - CCI-000192 - Configure the operating system to use "pwquality" to enforce password complexity rules. - -Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value): - - password requisite pam_pwquality.so retry=3 - -Note: The value of "retry" should be between "1" and "3". - - - - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - RHEL-07-010120 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86527 - V-71903 - CCI-000192 - Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ucredit = -1 - - - - - - - - SRG-OS-000070-GPOS-00038 - <GroupDescription></GroupDescription> - - RHEL-07-010130 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86529 - V-71905 - CCI-000193 - Configure the system to require at least one lower-case character when creating or changing a password. - -Add or modify the following line -in "/etc/security/pwquality.conf": - -lcredit = -1 - - - - - - - - SRG-OS-000071-GPOS-00039 - <GroupDescription></GroupDescription> - - RHEL-07-010140 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86531 - V-71907 - CCI-000194 - Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. - -Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - -dcredit = -1 - - - - - - - - SRG-OS-000266-GPOS-00101 - <GroupDescription></GroupDescription> - - RHEL-07-010150 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86533 - V-71909 - CCI-001619 - Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ocredit = -1 - - - - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010160 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71911 - SV-86535 - CCI-000195 - Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -difok = 8 - - - - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010170 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71913 - SV-86537 - CCI-000195 - Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -minclass = 4 - - - - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010180 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86539 - V-71915 - CCI-000195 - Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -maxrepeat = 3 - - - - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010190 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86541 - V-71917 - CCI-000195 - Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. - -Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): - -maxclassrepeat = 4 - - - - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010200 - The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71919 - SV-86543 - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add the following line in "/etc/pam.d/system-auth": - password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -Add the following line in "/etc/pam.d/password-auth": - password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used. - - - - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010210 - The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27124-7 - V-71921 - SV-86545 - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/login.defs": - -ENCRYPT_METHOD SHA512 - - - - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010220 - The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27053-8 - V-71923 - SV-86547 - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/libuser.conf" in the [defaults] section: - -crypt_style = sha512 - - - - - - - - SRG-OS-000075-GPOS-00043 - <GroupDescription></GroupDescription> - - RHEL-07-010230 - The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime. - <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27002-5 - V-71925 - SV-86549 - CCI-000198 - Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MIN_DAYS 1 - - - - - - - - - SRG-OS-000075-GPOS-00043 - <GroupDescription></GroupDescription> - - RHEL-07-010240 - The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime. - <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86551 - V-71927 - CCI-000198 - Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - -# chage -m 1 [user] - - - - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - RHEL-07-010250 - The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime. - <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27051-2 - V-71929 - SV-86553 - CCI-000199 - Configure the operating system to enforce a 60-day maximum password lifetime restriction. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MAX_DAYS 60 - - - - - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - RHEL-07-010260 - The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime. - <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71931 - SV-86555 - CCI-000199 - Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. - -# chage -M 60 [user] - - - - - - - - SRG-OS-000077-GPOS-00045 - <GroupDescription></GroupDescription> - - RHEL-07-010270 - The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations. - <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-26923-3 - V-71933 - SV-86557 - CCI-000200 - Configure the operating system to prohibit password reuse for a minimum of five generations. - -Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value): - -password requisite pam_pwhistory.so remember=5 retry=3 - -Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value): - -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility; otherwise, manual changes to the listed files will be overwritten whenever the authconfig utility is used. - - - - - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> - - RHEL-07-010280 - The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length. - <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71935 - SV-86559 - CCI-000205 - Configure operating system to enforce a minimum 15-character password length. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -minlen = 15 - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010290 - The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. - <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27286-4 - V-71937 - SV-86561 - CCI-000366 - If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. - -Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. - -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used. - - - - - - - - SRG-OS-000106-GPOS-00053 - <GroupDescription></GroupDescription> - - RHEL-07-010300 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27471-2 - SV-86563 - V-71939 - CCI-000766 - To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": - -PermitEmptyPasswords no - -The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. - - - - - - - - SRG-OS-000118-GPOS-00060 - <GroupDescription></GroupDescription> - - RHEL-07-010310 - The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. - <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27471-2 - SV-86565 - V-71941 - CCI-000795 - Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password has expired. - -Add the following line to "/etc/default/useradd" (or modify the line to have the required value): - - INACTIVE=35 - -DOD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - - - - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> - - RHEL-07-010340 - The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80351-0 - V-71947 - SV-86571 - CCI-002038 - Configure the operating system to require users to supply a password for privilege escalation. - -Check the configuration of the "/etc/sudoers" file with the following command: -$ sudo visudo - -Remove any occurrences of "NOPASSWD" tags in the file. - -Check the configuration of the /etc/sudoers.d/* files with the following command: -$ sudo grep -ir nopasswd /etc/sudoers.d - -Remove any occurrences of "NOPASSWD" tags in the file. - - - - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> - - RHEL-07-010350 - The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80350-2 - V-71949 - SV-86573 - CCI-002038 - Configure the operating system to require users to reauthenticate for privilege escalation. - -Check the configuration of the "/etc/sudoers" file with the following command: - -# visudo -Remove any occurrences of "!authenticate" tags in the file. - -Check the configuration of the "/etc/sudoers.d/*" files with the following command: - -# grep -i authenticate /etc/sudoers /etc/sudoers.d/* -Remove any occurrences of "!authenticate" tags in the file(s). - - - - - - - - SRG-OS-000480-GPOS-00226 - <GroupDescription></GroupDescription> - - RHEL-07-010430 - The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds. - <VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80352-8 - SV-86575 - V-71951 - CCI-000366 - Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. - -Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: - -FAIL_DELAY 4 - - - - - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010440 - The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80104-3 - V-71953 - SV-86577 - CCI-000366 - Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -AutomaticLoginEnable=false - - - - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010450 - The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80105-0 - V-71955 - SV-86579 - CCI-000366 - Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -TimedLoginEnable=false - - - - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010460 - The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27363-1 - SV-86581 - V-71957 - CCI-000366 - Configure the operating system to not allow users to override environment variables to the SSH daemon. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": - -PermitUserEnvironment no - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010470 - The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27413-4 - SV-86583 - V-71959 - CCI-000366 - Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": - -HostbasedAuthentication no - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000080-GPOS-00048 - <GroupDescription></GroupDescription> - - RHEL-07-010481 - The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes. - <VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-77823 - SV-92519 - CCI-000213 - Configure the operating system to require authentication upon booting into single-user and maintenance modes. - -Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin": - -ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" - - - - - - - - SRG-OS-000080-GPOS-00048 - <GroupDescription></GroupDescription> - - RHEL-07-010482 - Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. - <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27309-4 - SV-95717 - V-81005 - CCI-000213 - Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. - -Generate an encrypted grub2 password for the grub superusers account with the following command: - -$ sudo grub2-setpassword -Enter password: -Confirm password: - - - - - - - - SRG-OS-000080-GPOS-00048 - <GroupDescription></GroupDescription> - - RHEL-07-010491 - Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. - <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80354-4 - SV-95719 - V-81007 - CCI-000213 - Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. - -Generate an encrypted grub2 password for the grub superusers account with the following command: - -$ sudo grub2-setpassword -Enter password: -Confirm password: - - - - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-020000 - The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. - -If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27342-5 - V-71967 - SV-86591 - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: - -# yum remove rsh-server - - - - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-020010 - The Red Hat Enterprise Linux operating system must not have the ypserv package installed. - <VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27399-5 - V-71969 - SV-86593 - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command: - -# yum remove ypserv - - - - - - - - SRG-OS-000363-GPOS-00150 - <GroupDescription></GroupDescription> - - RHEL-07-020030 - The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly. - <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86597 - V-71973 - CCI-001744 - Configure the file integrity tool to run automatically on the system at least weekly. - -The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: - - # more /etc/cron.daily/aide - #!/bin/bash - - /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil - -Note: Per requirement RHEL-07-020028, the "mailx" package must be installed on the system to enable email functionality. - - - - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> - - RHEL-07-020050 - The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-26989-4 - V-71977 - SV-86601 - CCI-001749 - Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file: - -gpgcheck=1 - - - - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> - - RHEL-07-020060 - The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80347-8 - V-71979 - SV-86603 - CCI-001749 - Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file: - -localpkg_gpgcheck=1 - - - - - - - - SRG-OS-000114-GPOS-00059 - <GroupDescription></GroupDescription> - - RHEL-07-020100 - The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage. - <VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86607 - V-71983 - CCI-000366 - CCI-000778 - CCI-001958 - Configure the operating system to disable the ability to use the USB Storage kernel module. - -Create a file under "/etc/modprobe.d" with the following command: - - # touch /etc/modprobe.d/usb-storage.conf - -Add the following line to the created file: - - install usb-storage /bin/false - -Configure the operating system to disable the ability to use USB mass storage devices. - - # vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - - blacklist usb-storage - - - - - - - - SRG-OS-000378-GPOS-00163 - <GroupDescription></GroupDescription> - - RHEL-07-020101 - The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. - <VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-77821 - SV-92517 - CCI-001958 - Configure the operating system to disable the ability to use the DCCP kernel module. - -Create a file under "/etc/modprobe.d" with the following command: - - # touch /etc/modprobe.d/dccp.conf - -Add the following line to the created file: - - install dccp /bin/false - -Ensure that the DCCP module is blacklisted: - - # vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - - blacklist dccp - - - - - - - - SRG-OS-000114-GPOS-00059 - <GroupDescription></GroupDescription> - - RHEL-07-020110 - The Red Hat Enterprise Linux operating system must disable the file system automounter unless required. - <VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27498-5 - V-71985 - SV-86609 - CCI-000366 - CCI-000778 - CCI-001958 - Configure the operating system to disable the ability to automount devices. - -Turn off the automount service with the following commands: - -# systemctl stop autofs -# systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO. - - - - - - - - SRG-OS-000437-GPOS-00194 - <GroupDescription></GroupDescription> - - RHEL-07-020200 - The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed. - <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80346-0 - V-71987 - SV-86611 - CCI-002617 - Configure the operating system to remove all software components after updated versions have been installed. - -Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file: - -clean_requirements_on_remove=1 - - - - - - - - SRG-OS-000445-GPOS-00199 - <GroupDescription></GroupDescription> - - RHEL-07-020220 - The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy. - <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-71991 - SV-86615 - CCI-002165 - CCI-002696 - Configure the operating system to verify correct operation of all security functions. - -Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: - - SELINUXTYPE=targeted - -A reboot is required for the changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00228 - <GroupDescription></GroupDescription> - - RHEL-07-020240 - The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80205-8 - SV-86619 - V-71995 - CCI-000366 - Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - -Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": - -UMASK 077 - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020250 - The Red Hat Enterprise Linux operating system must be a vendor supported release. - <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - -Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80349-4 - SV-86621 - V-71997 - CCI-000366 - Upgrade to a supported version of the operating system. - - - - - - - - SRG-OS-000104-GPOS-00051 - <GroupDescription></GroupDescription> - - RHEL-07-020300 - The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file. - <VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27503-2 - V-72003 - SV-86627 - CCI-000764 - Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group". - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020310 - The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system. - <VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27175-9 - SV-86629 - V-72005 - CCI-000366 - Change the UID of any account on the system, other than root, that has a UID of "0". - -If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020610 - The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory. - <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80434-4 - V-72013 - SV-86637 - CCI-000366 - Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. - -CREATE_HOME yes - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020620 - The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file. - <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72015 - SV-86639 - CCI-000366 - Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd". - -# mkdir /home/smithj -# chown smithj /home/smithj -# chgrp users /home/smithj -# chmod 0750 /home/smithj - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021020 - The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS). - <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80240-5 - SV-86669 - V-72045 - CCI-000366 - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021021 - The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS). - <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80436-9 - SV-87813 - V-73161 - CCI-000366 - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021030 - The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group. - <VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80136-5 - V-72047 - SV-86671 - CCI-000366 - All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021110 - The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root. - <VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80378-3 - V-72053 - SV-86677 - CCI-000366 - Set the owner on the "/etc/cron.allow" file to root with the following command: - -# chown root /etc/cron.allow - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021120 - The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. - <VulnDiscussion>If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80379-1 - SV-86679 - V-72055 - CCI-000366 - Set the group owner on the "/etc/cron.allow" file to root with the following command: - -# chgrp root /etc/cron.allow - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021310 - The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent). - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80144-9 - SV-86683 - V-72059 - CCI-000366 - Migrate the "/home" directory onto a separate file system/partition. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021320 - The Red Hat Enterprise Linux operating system must use a separate file system for /var. - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-26404-4 - V-72061 - SV-86685 - CCI-000366 - Migrate the "/var" path onto a separate file system. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021330 - The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path. - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86687 - V-72063 - CCI-000366 - Migrate the system audit data path onto a separate file system. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021340 - The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent). - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27173-4 - SV-86689 - V-72065 - CCI-000366 - Start the "tmp.mount" service with the following command: - -# systemctl enable tmp.mount - -OR - -Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point. - - - - - - - - SRG-OS-000033-GPOS-00014 - <GroupDescription></GroupDescription> - - RHEL-07-021350 - The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86691 - V-72067 - CCI-000068 - CCI-001199 - CCI-002450 - CCI-002476 - Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. - -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. - -Configure the operating system to implement DoD-approved encryption by following the steps below: - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. - -Install the dracut-fips package with the following command: - -# yum install dracut-fips - -Recreate the "initramfs" file with the following command: - -Note: This command will overwrite the existing "initramfs" file. - -# dracut -f - -Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: - -fips=1 - -Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: - -On BIOS-based machines, use the following command: - -# grub2-mkconfig -o /boot/grub2/grub.cfg - -On UEFI-based machines, use the following command: - -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg - -If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: - -# df /boot -Filesystem 1K-blocks Used Available Use% Mounted on -/dev/sda1 495844 53780 416464 12% /boot - -To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: - -# blkid /dev/sda1 -/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" - -For the example above, append the following string to the kernel command line: - -boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 - -If the file /etc/system-fips does not exists, recreate it: - -# touch /etc/ system-fips - -Reboot the system for the changes to take effect. - - - - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-021710 - The Red Hat Enterprise Linux operating system must not have the telnet-server package installed. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27165-0 - V-72077 - SV-86701 - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: - -# yum remove telnet-server - - - - - - - - SRG-OS-000038-GPOS-00016 - <GroupDescription></GroupDescription> - - RHEL-07-030000 - The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users. - <VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - -Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27407-6 - SV-86703 - V-72079 - CCI-000126 - CCI-000131 - Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. - -Enable the auditd service with the following command: - -# systemctl start auditd.service - - - - - - - - SRG-OS-000046-GPOS-00022 - <GroupDescription></GroupDescription> - - RHEL-07-030010 - The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. - <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80381-7 - V-72081 - SV-86705 - CCI-000139 - Configure the operating system to shut down in the event of an audit processing failure. - -Add or correct the option to shut down the operating system with the following command: - - # auditctl -f 2 - -Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: - - -f 2 - -If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: - - # auditctl -f 1 - -Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: - - -f 1 - -Kernel log monitoring must also be configured to properly alert designated staff. - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030201 - The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-95729 - V-81017 - CCI-001851 - Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: - -active = yes -direction = out -path = /sbin/audisp-remote -type = always - -The audit daemon must be restarted for changes to take effect: - -# service auditd restart - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030210 - The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When the remote buffer is full, audit logs will not be collected and sent to the central log server. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-81019 - SV-95731 - CCI-001851 - Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option: - -overflow_action = syslog - -The audit daemon must be restarted for changes to take effect: - -# service auditd restart - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030211 - The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-95733 - V-81021 - CCI-001851 - Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option: - -name_format = hostname - -The audit daemon must be restarted for changes to take effect: - -# service auditd restart - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030300 - The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72083 - SV-86707 - CCI-001851 - Configure the operating system to off-load audit records onto a different system or media from the system being audited. - -Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server. - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030310 - The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72085 - SV-86709 - CCI-001851 - Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. - -Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line: - -enable_krb5 = yes - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030320 - The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full. - <VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72087 - SV-86711 - CCI-001851 - Configure the action the operating system takes if the disk the audit records are written to becomes full. - -Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: - -disk_full_action = single - - - - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030321 - The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system. - <VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. -One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-73163 - SV-87815 - CCI-001851 - Configure the action the operating system takes if there is an error sending audit records to a remote system. - -Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". - -network_failure_action = syslog - - - - - - - - SRG-OS-000343-GPOS-00134 - <GroupDescription></GroupDescription> - - RHEL-07-030340 - The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72091 - SV-86715 - CCI-001855 - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". - -space_left_action = email - - - - - - - - SRG-OS-000343-GPOS-00134 - <GroupDescription></GroupDescription> - - RHEL-07-030350 - The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27394-6 - V-72093 - SV-86717 - CCI-001855 - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. - -action_mail_acct = root - - - - - - - - - SRG-OS-000327-GPOS-00127 - <GroupDescription></GroupDescription> - - RHEL-07-030360 - The Red Hat Enterprise Linux operating system must audit all executions of privileged functions. - <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72095 - SV-86719 - CCI-002234 - Configure the operating system to audit the execution of privileged functions. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27364-9 - SV-86721 - V-72097 - CCI-000126 - CCI-000172 - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27339-1 - SV-86729 - V-72105 - CCI-000172 - Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27213-8 - SV-86735 - V-72111 - CCI-000172 - Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030510 - The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80386-6 - SV-86749 - V-72125 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030560 - The Red Hat Enterprise Linux operating system must audit all uses of the semanage command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80391-6 - SV-86759 - V-72135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030570 - The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80392-4 - V-72137 - SV-86761 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030580 - The Red Hat Enterprise Linux operating system must audit all uses of the chcon command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80393-2 - V-72139 - SV-86763 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030590 - The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72141 - SV-86765 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030610 - The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80383-3 - V-72145 - SV-86769 - CCI-000126 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when unsuccessful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/run/faillock -p wa -k logins - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030620 - The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80384-1 - V-72147 - SV-86771 - CCI-000126 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/log/lastlog -p wa -k logins - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030630 - The Red Hat Enterprise Linux operating system must audit all uses of the passwd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80395-7 - SV-86773 - V-72149 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030640 - The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80396-5 - SV-86775 - V-72151 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030650 - The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80397-3 - SV-86777 - V-72153 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030660 - The Red Hat Enterprise Linux operating system must audit all uses of the chage command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80398-1 - SV-86779 - V-72155 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030670 - The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80399-9 - SV-86781 - V-72157 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030680 - The Red Hat Enterprise Linux operating system must audit all uses of the su command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80400-5 - SV-86783 - V-72159 - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030690 - The Red Hat Enterprise Linux operating system must audit all uses of the sudo command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80401-3 - V-72161 - SV-86785 - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030700 - The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27461-3 - V-72163 - SV-86787 - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/sudoers -p wa -k privileged-actions - --w /etc/sudoers.d/ -p wa -k privileged-actions - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030710 - The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80403-9 - V-72165 - SV-86789 - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030720 - The Red Hat Enterprise Linux operating system must audit all uses of the chsh command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80404-7 - SV-86791 - V-72167 - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030740 - The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27447-2 - V-72171 - SV-86795 - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030750 - The Red Hat Enterprise Linux operating system must audit all uses of the umount command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80405-4 - V-72173 - SV-86797 - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030760 - The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80406-2 - V-72175 - SV-86799 - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030770 - The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80407-0 - SV-86801 - V-72177 - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030780 - The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80408-8 - SV-86803 - V-72179 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030800 - The Red Hat Enterprise Linux operating system must audit all uses of the crontab command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80410-4 - SV-86807 - V-72183 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000471-GPOS-00215 - <GroupDescription></GroupDescription> - - RHEL-07-030810 - The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80411-2 - V-72185 - SV-86809 - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030819 - The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-78999 - SV-93705 - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030820 - The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80414-6 - V-72187 - SV-86811 - CCI-000172 - Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - --a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030830 - The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80415-3 - V-72189 - SV-86813 - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - --a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030840 - The Red Hat Enterprise Linux operating system must audit all uses of the kmod command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86815 - V-72191 - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030870 - The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80435-1 - SV-86821 - V-72197 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". - -Add or update the following rule "/etc/audit/rules.d/audit.rules": - --w /etc/passwd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030871 - The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80433-6 - SV-87817 - V-73165 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/group -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030872 - The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80432-8 - SV-87819 - V-73167 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/gshadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030873 - The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80431-0 - SV-87823 - V-73171 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/shadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030874 - The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80430-2 - SV-87825 - V-73173 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/security/opasswd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect: -# systemctl restart auditd - - - - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030910 - The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27206-2 - V-72205 - SV-86829 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - - - - - SRG-OS-000027-GPOS-00008 - <GroupDescription></GroupDescription> - - RHEL-07-040000 - The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72217 - SV-86841 - CCI-000054 - Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. - -Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : - -* hard maxlogins 10 - - - - - - - - SRG-OS-000033-GPOS-00014 - <GroupDescription></GroupDescription> - - RHEL-07-040110 - The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. - <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - -The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27295-5 - V-72221 - SV-86845 - CCI-000068 - CCI-000366 - CCI-000803 - Configure SSH to use FIPS 140-2 approved cryptographic algorithms. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86847 - V-72223 - CCI-001133 - CCI-002361 - Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. - -Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: - -#!/bin/bash - -declare -xr TMOUT=900 - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040201 - The Red Hat Enterprise Linux operating system must implement virtual address space randomization. - <VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-92521 - V-77825 - CCI-000366 - Configure the operating system implement virtual address space randomization. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - kernel.randomize_va_space = 2 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - SRG-OS-000423-GPOS-00187 - <GroupDescription></GroupDescription> - - RHEL-07-040300 - The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed. - <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80215-7 - SV-86857 - V-72233 - CCI-002418 - CCI-002420 - CCI-002421 - CCI-002422 - Install SSH packages onto the host with the following commands: - -# yum install openssh-server.x86_64 - - - - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040320 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. - <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27433-2 - V-72237 - SV-86861 - CCI-001133 - CCI-002361 - Note: This setting must be applied in conjunction with RHEL-07-040340 to function correctly. - -Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - - ClientAliveInterval 600 - -The SSH service must be restarted for changes to take effect. - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040330 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80373-4 - V-72239 - SV-86863 - CCI-000366 - Configure the SSH daemon to not allow authentication using RSA rhosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": - -RhostsRSAAuthentication no - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040340 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. - <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27082-7 - SV-86865 - V-72241 - CCI-001133 - CCI-002361 - Note: This setting must be applied in conjunction with RHEL-07-040320 to function correctly. - -Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - - ClientAliveCountMax 0 - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040350 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27377-1 - V-72243 - SV-86867 - CCI-000366 - Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreRhosts yes - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040360 - The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon. - <VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80225-6 - V-72245 - SV-86869 - CCI-000052 - Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: - -PrintLastLog yes - -The SSH service must be restarted for changes to "sshd_config" to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040370 - The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH. - <VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27445-6 - V-72247 - SV-86871 - CCI-000366 - Configure SSH to stop users from logging on remotely as the root user. - -Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -PermitRootLogin no - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040380 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80372-6 - V-72249 - SV-86873 - CCI-000366 - Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreUserKnownHosts yes - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000074-GPOS-00042 - <GroupDescription></GroupDescription> - - RHEL-07-040390 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol. - <VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. - -Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27320-1 - SV-86875 - V-72251 - CCI-000197 - CCI-000366 - Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: - -Protocol 2 - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-07-040400 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - <VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27455-5 - SV-86877 - V-72253 - CCI-001453 - Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -MACs hmac-sha2-512,hmac-sha2-256 - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040410 - The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive. - <VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27311-0 - V-72255 - SV-86879 - CCI-000366 - Note: SSH public key files may be found in other directories on the system depending on the installation. - -Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: - -# chmod 0644 /etc/ssh/*.key.pub - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. - <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27485-2 - V-72257 - SV-86881 - CCI-000366 - Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: - -# chmod 0640 /path/to/file/ssh_host*key - - - - - - - - SRG-OS-000364-GPOS-00151 - <GroupDescription></GroupDescription> - - RHEL-07-040430 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. - <VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72259 - SV-86883 - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -GSSAPIAuthentication no - -The SSH service must be restarted for changes to take effect. - -If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - - - - - - - SRG-OS-000364-GPOS-00151 - <GroupDescription></GroupDescription> - - RHEL-07-040440 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed. - <VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80221-5 - V-72261 - SV-86885 - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -KerberosAuthentication no - -The SSH service must be restarted for changes to take effect. - -If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040450 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files. - <VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80222-3 - SV-86887 - V-72263 - CCI-000366 - Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": - -StrictModes yes - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040460 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation. - <VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80223-1 - SV-86889 - V-72265 - CCI-000366 - Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes": - -UsePrivilegeSeparation sandbox - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040470 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. - <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86891 - V-72267 - CCI-000366 - Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": - - Compression no - -The SSH service must be restarted for changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040530 - The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon. - <VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86899 - V-72275 - CCI-000052 - Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". - -Add the following line to the top of "/etc/pam.d/postlogin": - -session required pam_lastlog.so showfailed - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040540 - The Red Hat Enterprise Linux operating system must not contain .shosts files. - <VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86901 - V-72277 - CCI-000366 - Remove any found ".shosts" files from the system. - -# rm /[path]/[to]/[file]/.shosts - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040550 - The Red Hat Enterprise Linux operating system must not contain shosts.equiv files. - <VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86903 - V-72279 - CCI-000366 - Remove any found "shosts.equiv" files from the system. - -# rm /[path]/[to]/[file]/shosts.equiv - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040610 - The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27434-0 - V-72283 - SV-86907 - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl -system - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040620 - The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80162-1 - V-72285 - SV-86909 - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040630 - The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80165-4 - V-72287 - SV-86911 - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.icmp_echo_ignore_broadcasts = 1 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040640 - The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80163-9 - SV-86913 - V-72289 - CCI-000366 - Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.accept_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040641 - The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80158-9 - SV-87827 - V-73175 - CCI-000366 - Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.accept_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040650 - The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80156-3 - V-72291 - SV-86915 - CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.default.send_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040660 - The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80156-3 - V-72293 - SV-86917 - CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.conf.all.send_redirects = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040690 - The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed. - <VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-86923 - V-72299 - CCI-000366 - Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: - -# yum remove vsftpd - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040700 - The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support. - <VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80213-2 - SV-86925 - V-72301 - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Remove the TFTP package from the system with the following command: - -# yum remove tftp-server - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040710 - The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements. - <VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. -X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80226-4 - SV-86927 - V-72303 - CCI-000366 - Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -X11Forwarding no - -The SSH service must be restarted for changes to take effect: - -# systemctl restart sshd - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040730 - The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved. - <VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27218-7 - SV-86931 - V-72307 - CCI-000366 - Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: - -Open an SSH session and enter the following commands: - -$ sudo systemctl set-default multi-user.target - -$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils - -A reboot is required for the changes to take effect. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040740 - The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80157-1 - SV-86933 - V-72309 - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv4.ip_forward = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040800 - SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. - <VulnDiscussion>Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27386-2 - SV-86937 - V-72313 - CCI-000366 - If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value. - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040830 - The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80179-5 - V-72319 - SV-86943 - CCI-000366 - Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - - net.ipv6.conf.all.accept_source_route = 0 - -Issue the following command to make the changes take effect: - - # sysctl --system - - - - - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed. - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - SV-87041 - V-72417 - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to implement multifactor authentication by installing the required packages. - -Install the pam_pkcs11 package with the following command: - -# yum install pam_pkcs11 - - - - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041002 - The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-80437-7 - V-72427 - SV-87051 - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). - -Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam. - - - - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041003 - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication. - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - V-72433 - SV-87057 - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to do certificate status checking for PKI authentication. - -Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010020 - The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values. - <VulnDiscussion>Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCE-27157-7 - SV-86479 - V-71855 - CCI-001749 - Run the following command to determine which package owns the file: - -# rpm -qf <filename> - -The package can be reinstalled from a yum repository using the command: - -# sudo yum reinstall <packagename> - -Alternatively, the package can be reinstalled from trusted media using the command: - -# sudo rpm -Uvh <packagename> - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010341 - The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. - <VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCI-000366 - Remove the following entries from the sudoers file: -ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALL - - - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010342 - The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". - <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCI-002227 - Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: - Defaults !targetpw - Defaults !rootpw - Defaults !runaspw - -Remove any configurations that conflict with the above from the following locations: - /etc/sudoers - /etc/sudoers.d/ - - - - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> - - RHEL-07-010343 - The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 7 - DISA - DPMS Target - Red Hat Enterprise Linux 7 - 2899 - - CCI-002038 - Configure the "sudo" command to require re-authentication. -Edit the /etc/sudoers file: -$ sudo visudo - -Add or modify the following line: -Defaults timestamp_timeout=[value] -Note: The "[value]" must be a number that is greater than or equal to "0". - -Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files. - - - - - - - - - - - - repotool - 5.10 - 2023-12-27T23:04:39 - - - - - The operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly. - - - - - - - - - - - - - - - - - The operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. - - - - - - - - - - The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - - - - - - - - - - - - - - - - - - - - - The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. - - - - - - - - - The operating system must enable the SELinux targeted policy. - - - - - - - - - - The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. - - - - - - - - - - The operating system must enforce password complexity by requiring that at least one uppercase character be used. - - - - - - - - - The operating system must enforce password complexity by requiring that at least one lower-case character be used. - - - - - - - - - The operating system must enforce password complexity by requiring that at least one numeric character be used. - - - - - - - - - The operating system must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. - - - - - - - - - The operating system must require the maximum number of repeating characters be limited to three when passwords are changed. - - - - - - - - - The operating system must require the change of at least four character classes when passwords are changed. - - - - - - - - - The operating system must require the change of at least 8 characters when passwords are changed. - - - - - - - - - The operating system user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. - - - - - - - - - - The operating system passwords must have a minimum of 15 characters. - - - - - - - - - All the operating system passwords must contain at least one special character. - - - - - - - - - The operating system must display the date and time of the last successful account logon upon logon. - - - - - - - - - - The operating system must be configured to disable USB mass storage. - - - - - - - - - - The operating system pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. - - - - - - - - - Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. - - - - - - - - - Red Hat Enterprise Linux 7 - - multi_platform_all - - - The operating system installed on the system is - Red Hat Enterprise Linux 7 - - - - - - - - - - - - - - - - Ensure that FAIL_DELAY is Configured in /etc/login.defs - - Red Hat Enterprise Linux 7 - - - The delay between failed authentication attempts should be - set for all users specified in /etc/login.defs - - - - - - - - - Ensure YUM Removes Previous Package Versions - - Red Hat Enterprise Linux 7 - - - The clean_requirements_on_remove option should be used to ensure that old - versions of software components are removed after updating. - - - - - - - - - Ensure gpgcheck Enabled for Local Packages - - Red Hat Enterprise Linux 7 - - - The localpkg_gpgcheck option should be used to ensure that checking - of an RPM package's signature always occurs prior to its - installation. - - - - - - - - - Verify group who owns 'cron.allow' file - - Red Hat Enterprise Linux 7 - - - The /etc/cron.allow file should be owned by the appropriate - group. - - - - - - - - - Verify user who owns 'cron.allow' file - - Red Hat Enterprise Linux 7 - - - The /etc/cron.allow file should be owned by the - appropriate user. - - - - - - - - - RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. - - Red Hat Enterprise Linux 7 - - - - If an unauthorized user obtains the private SSH host key file, the host could be impersonated. - - - - - - - - - SSHD Service Public Key Permissions - - Red Hat Enterprise Linux 7 - - - - File permissions for the SSH Server's public keys should be set to 0644 (or stronger). By default, these files are located at /etc/ssh. - - - - - - - - - Package openssh-server Removed - - multi_platform_rhel - multi_platform_fedora - multi_platform_sle - - The RPM package openssh-server should be removed. - - - - - - - - - Disable Compression Or Set Compression to delayed - - Red Hat Enterprise Linux 7 - - - - SSH should either have compression disabled or set to delayed. - - - - - - - - - - Disable GSSAPI Authentication - - Red Hat Enterprise Linux 7 - - - - Unless needed, disable the GSSAPI authentication option for -the SSH Server. - - - - - - - - - Disable Kerberos Authentication - - Red Hat Enterprise Linux 7 - - - - Unless needed, disable the Kerberos authentication option for the SSH Server. - - - - - - - - - Enable SSH Server's Strict Mode - - Red Hat Enterprise Linux 7 - - - - Enable StrictMode to check users home directory permissions and configurations. - - - - - - - - - The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon SSH logon. - - Red Hat Enterprise Linux 7 - - - Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. - - - - - - - - - - RHEL-07-040400 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms - - Red Hat Enterprise Linux 7 - - - DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. - -By specifying a hash algorithm list with the order of hashes being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest hash for securing SSH connections. - - - - - - - - - - - - - RHEL-07-020250 - The Red Hat Enterprise Linux operating system must be a vendor supported release - - Red Hat Enterprise Linux 7 - - - An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - - - - - - - - Use Privilege Separation - - Red Hat Enterprise Linux 7 - - - - Use privilege separation to cause the SSH process to drop root privileges when not needed. - - - - - - - - - Ensure !authenticate Is Not Used in Sudo - - Red Hat Enterprise Linux 7 - multi_platform_debian - multi_platform_ubuntu - - Checks sudo usage without authentication - - - - - - - - - - - Ensure NOPASSWD Is Not Used in Sudo - - Red Hat Enterprise Linux 7 - multi_platform_debian - multi_platform_ubuntu - - Checks sudo usage without password - - - - - - - - - - - RHEL-07-010341 - The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. - - Red Hat Enterprise Linux 7 - - The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. - - - - - - - - - RHEL-07-010342 - The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". - - Red Hat Enterprise Linux 7 - - The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page. - - - - - - - - - - - - - - - - - - - RHEL-07-010343 - The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. - - Red Hat Enterprise Linux 7 - - Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - - - - - - - - Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - Kernel "net.ipv4.conf.all.accept_redirects" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. - - - - - - - - - Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - - Red Hat Enterprise Linux 7 - - - - ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - - - - - - - - - The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - - Red Hat Enterprise Linux 7 - - ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - - - - - - - - - - Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - Kernel "net.ipv4.conf.default.accept_source_route" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. - - - - - - - - - Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.conf.default.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration. - - - - - - - - - Kernel "net.ipv4.conf.default.send_redirects" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in system runtime. - - - - - - - - - Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in system runtime. - - - - - - - - - Kernel "net.ipv4.ip_forward" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv4.ip_forward" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.ip_forward" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration. - - - - - - - - - Kernel "net.ipv4.ip_forward" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.ip_forward" parameter should be set to "0" in system runtime. - - - - - - - - - Kernel Runtime Parameter IPv6 Check - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Disables IPv6 for all network interfaces. - - - - - - - - - - - - - Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration and Runtime Check - - Red Hat Enterprise Linux 7 - - - - The "net.ipv6.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - - - - Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - Kernel "net.ipv6.conf.all.accept_source_route" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. - - - - - - - - - The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. - - Red Hat Enterprise Linux 7 - - - Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -Operating systems need to track periods of inactivity and disable application identifiers after zero35 days of inactivity. - - - - - - - - - Ensure new users receive home directories - - Red Hat Enterprise Linux 7 - - - CREATE_HOME should be enabled - - - - - - - - - Set Password Expiration Parameters - - Red Hat Enterprise Linux 7 - - - The maximum password age policy should meet minimum requirements. - - - - - - - - - Set Password Expiration Parameters - - Red Hat Enterprise Linux 7 - - - The minimum password age policy should be set appropriately. - - - - - - - - - UID 0 Belongs Only To Root - - multi_platform_all - - - Only the root account should be assigned a user id of 0. - - - - - - - - - Limit Password Reuse - - multi_platform_rhel - multi_platform_fedora - - The passwords to remember should be set correctly. - - - - - - - - - - - RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - - multi_platform_rhel - - Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - - - - - - - - - RHEL-07-020240 - The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - - Red Hat Enterprise Linux 7 - - - Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. - - - - - - - - - Check use of auditctl - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Test if auditctl is in use for audit rules. - - - - - - - - - Check use of augenrules - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Test if augenrules is enabled for audit rules. - - - - - - - - - RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. - - multi_platform_rhel - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Test for 64-bit Architecture - - multi_platform_all - - Generic test for 64-bit architectures to be used by other tests - - - - - - - - - - RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. - - multi_platform_rhel - - - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. - - multi_platform_rhel - - - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Record Any Attempts to Run chcon - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of chcon is enabled. - - - - - - - - - - - - - - - Record Any Attempts to Run semanage - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of semanage is enabled. - - - - - - - - - - - - - - - Record Any Attempts to Run setsebool - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of setsebool is enabled. - - - - - - - - - - - - - - - RHEL-07-030910 - The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls. - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RHEL-07-030820 - The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls. - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - Audit Kernel Module Loading and Unloading - delete_module - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - The audit rules should be configured to log information about kernel module loading and unloading. - - - - - - - - - - - - - - - - - - - - - - - Record Attempts to Alter Login and Logout Events - faillock - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules should be configured to log successful and unsuccessful login and logout events. - - - - - - - - - - - - - - - Record Attempts to Alter Login and Logout Events - lastlog - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules should be configured to log successful and unsuccessful login and logout events. - - - - - - - - - - - - - - - The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall. - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Reconstruction of harmful events or forensic analysis is no possible if audit records do not contain enough information. - At a minimum, the orginization must audit the full-text recording of privileged mount commands. The orginization must maintain audit - trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Red Hat EnterpriseLinux Operating system must audit all executions of privileged functions. - - Red Hat Enterprise Linux 7 - - Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have a significant adverse impacts on orginizations. - Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chage - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of chage is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chsh - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of chsh is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of crontab is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of gpasswd is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of newgrp is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of pam_timestamp_check is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of passwd is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postdrop - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of postdrop is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postqueue - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of postqueue is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - ssh_keysign - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of ssh_keysign is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - su - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of su is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - sudo - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of sudo is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - umount - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of umount is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of unix_chkpwd is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - userhelper - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit rules about the information on the use of userhelper is enabled. - - - - - - - - - - - - - - - Audit System Administrator Actions - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit actions taken by system administrators on the system. - - - - - - - - - - - - - - - - - Shutdown System When Auditing Failures Occur - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - The system will shutdown when auditing fails. - - - - - - - - - - - - - - - RHEL-07-030510 - The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate and ftruncate syscalls. - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Audit User/Group Modification (/etc/group) - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit user/group modification. - - - - - - - - - - - - - - - Audit User/Group Modification (gshadow) - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit user/group modification. - - - - - - - - - - - - - - - Audit User/Group Modification (opasswd) - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit user/group modification (opasswd). - - - - - - - - - - - - - - - Audit User/Group Modification (/etc/passwd) - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit user/group modification. - - - - - - - - - - - - - - - Audit User/Group Modification (/etc/shadow) - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - Audit user/group modification. - - - - - - - - - - - - - - - Auditd Email Account to Notify Upon Action - - Red Hat Enterprise Linux 7 - - - action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account - - - - - - - - - Enable GNOME3 Login Warning Banner - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Enable the GNOME3 Login warning banner. - - - - - - - - - - - - - - Package dconf Installed - - Red Hat Enterprise Linux 7 - - The RPM package dconf should be installed. - - - - - - - - - Implement Local DB for DConf User Profile - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - The DConf User profile should have the local DB configured. - - - - - - - - - - Enable GNOME3 Screensaver Idle Activation - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Idle activation of the screen saver should be enabled. - - - - - - - - - - - - - - Configure the GNOME3 GUI Screen locking - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - - - The allowed period of inactivity before the screensaver is activated. - - - - - - - - - - - - Enable GNOME3 Screensaver Lock Delay After Idle Period - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Idle activation of the screen lock should be enabled immediately or - after a delay. - - - - - - - - - - - - - - Enable GNOME3 Screensaver Lock After Idle Period - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Idle activation of the screen lock should be enabled. - - - - - - - - - - - - - - Gnome lock-delay setting lock - - Red Hat Enterprise Linux 7 - - - Determines if the databases containing the lock-delay setting also have the setting locked. - - - - - - - - - - - - - Find world writable directories not group-owned by a system account - - Red Hat Enterprise Linux 7 - - - - All world writable directories should be group-owned by a system user. - - - - - - - - Disable Host-Based Authentication - - multi_platform_rhel - - SSH host-based authentication should be disabled. - - - - - - - - - - - Ensure Yum gpgcheck Globally Activated - - Red Hat Enterprise Linux 7 - - - The gpgcheck option should be used to ensure that checking - of an RPM package's signature always occurs prior to its - installation. - - - - - - - - - All GIDs Are Present In /etc/group - - Red Hat Enterprise Linux 7 - - All GIDs referenced in /etc/passwd must be defined in /etc/group. - - - - - - - - - - Disable GDM Automatic Login - - Red Hat Enterprise Linux 7 - - - Disable the GNOME Display Manager (GDM) ability to allow users to - automatically login. - - - - - - - - - - - - - Package gdm Installed - - Red Hat Enterprise Linux 7 - - The RPM package gdm should be installed. - - - - - - - - - Disable GDM Guest Login - - Red Hat Enterprise Linux 7 - - - Disable the GNOME Display Manager (GDM) ability to allow guest users - to login. - - - - - - - - - - - - - Mount Remote Filesystems with noexec - - Red Hat Enterprise Linux 7 - - - - The noexec option should be enabled for all NFS mounts in /etc/fstab. - - - - - - - - - Mount Remote Filesystems with nosuid - - multi_platform_rhel - - - - The nosuid option should be enabled for all NFS mounts in /etc/fstab. - - - - - - - - - The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. - - Red Hat Enterprise Linux 7 - - - The file /etc/pam.d/system-auth should not contain the nullok option - - - - - - - - - - Package net-snmp Removed - - multi_platform_rhel - - The RPM package net-snmp should be removed. - - - - - - - - - Package rsh-server Removed - - Red Hat Enterprise Linux 7 - - - The RPM package rsh-server should be removed. - - - - - - - - - Package telnet-server Removed - - multi_platform_rhel - - The RPM package telnet-server should be removed. - - - - - - - - - - Package tftp-server Removed - - Red Hat Enterprise Linux 7 - - - The RPM package tftp-server should be removed. - - - - - - - - - Package vsftpd Removed - - multi_platform_rhel - - The RPM package vsftpd should be removed. - - - - - - - - - Package xorg-x11-server-common Removed - - multi_platform_rhel - multi_platform_fedora - - - - The RPM package xorg-x11-server-common should be removed. - - - - - - - - Package ypserv Removed - - Red Hat Enterprise Linux 7 - - - The RPM package ypserv should be removed. - - - - - - - - - Ensure /home Located On Separate Partition - - multi_platform_rhel - - If user home directories will be stored locally, create a - separate partition for /home. If /home will be mounted from another - system such as an NFS server, then creating a separate partition is not - necessary at this time, and the mountpoint can instead be configured - later. - - - - - - - - - - Ensure /var Located On Separate Partition - - multi_platform_rhel - - - - Ensuring that /var is mounted on its own partition enables - the setting of more restrictive mount options, which is used as temporary - storage by many program, particularly system services such as daemons. It - is not uncommon for the /var directory to contain world-writable - directories, installed by other software packages. - - - - - - - - Ensure /var/log/audit Located On Separate Partition - - multi_platform_rhel - - - - Audit logs are stored in the /var/log/audit directory. - Ensure that it has its own partition or logical volume. Make absolutely - certain that it is large enough to store all audit logs that will be - created by the auditing daemon. - - - - - - - - - Verify File Hashes with RPM - - multi_platform_fedora - multi_platform_rhel - - Verify the RPM digests of system binaries using the RPM database. - - - - - - - - - - Set SHA512 Password Hashing Algorithm in /etc/libuser.conf - - Red Hat Enterprise Linux 7 - - - The password hashing algorithm should be set correctly in /etc/libuser.conf. - - - - - - - - - Set SHA512 Password Hashing Algorithm in /etc/login.defs - - Red Hat Enterprise Linux 7 - - - The password hashing algorithm should be set correctly in /etc/login.defs. - - - - - - - - - SNMP default communities disabled - - multi_platform_all - - SNMP default communities must be removed. - - - - - - - - - - - Ensure Only Protocol 2 Connections Allowed - - multi_platform_rhel - multi_platform_debian - multi_platform_ubuntu - - - The OpenSSH daemon should be running protocol 2. - - - - - - - - - - - - - Disable Empty Passwords - - Red Hat Enterprise Linux 7 - - - Remote connections from accounts with empty passwords should - be disabled (and dependencies are met) - - - - - - - - - - Disable .rhosts Files - - multi_platform_rhel - - - - Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) - - - - - - - - - Disable SSH Support for Rhosts RSA Authentication - - multi_platform_all - - - - SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. - - - - - - - - - - - - Disable root Login via SSH - - multi_platform_all - - - - Root login via SSH should be disabled (and dependencies are met) - - - - - - - - - Disable SSH Support for User Known Hosts - - multi_platform_all - - - - SSH can allow system users host-based authentication -to connect to systems if a cache of the remote systems public keys are available. -This should be disabled. - - - - - - - - - Do Not Allow Users to Set Environment Options - - multi_platform_rhel - - PermitUserEnvironment should be disabled - - - - - - - - - - - RHEL-07-040710 - Disable X11 Forwarding - - multi_platform_all - - - Open X displays allow an attacker to capture keystrokes and execute commands remotely. - - - - - - - - - - Set OpenSSH Idle Timeout Interval - - multi_platform_all - - - - The SSH idle timeout interval should be set to an appropriate value. - - - - - - - - - Set ClientAliveCountMax for User Logins - - multi_platform_all - - - - The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) - - - - - - - - - RHEL-07-040110 - The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections - - Red Hat Enterprise Linux 7 - - - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - -By specifying a cipher list with the order of ciphers being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. - - - - - - - - - - Configure PAM in SSSD Services - - Red Hat Enterprise Linux 7 - - - - SSSD should be configured to run SSSD PAM services. - - - - - - - - - Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. - - - - - - - - - Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime. - - - - - - - - - Test for x86_64 Architecture - - multi_platform_all - - Generic test for x86_64 architecture to be used by other tests - - - - - - - - - Test for PPC and PPCLE Architecture - - multi_platform_all - - Generic test for PPC PPC64LE architecture to be used by other tests - - - - - - - - - - Package openssh-server Installed - - Red Hat Enterprise Linux 7 - - The RPM package openssh-server should be installed. - - - - - - - - - - Passwords must be restricted to a 1 day minimum lifetime. - - Red Hat Enterprise Linux 7 - - Passwords must be restricted to a 1 day minimum lifetime. - - - - - - - - - File system automounter must be disabled unless required. - - Red Hat Enterprise Linux 7 - - - Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - - - - - - - - The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file. - - - - - - - - - The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file. - - - - - - - - - - The system must use a separate file system for /tmp (or equivalent). - - Red Hat Enterprise Linux 7 - - - The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - - - - - - - - The audit service must be running. - - Red Hat Enterprise Linux 7 - - - Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. - - - - - - - - The operating system must off-load audit records onto a different system or media from the system being audited. - - Red Hat Enterprise Linux 7 - - The operating system must off-load audit records onto a different system or media from the system being audited. - - - - - - - - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. - - Red Hat Enterprise Linux 7 - - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. - - - - - - - - The audit system must take appropriate action when the audit storage volume is full. - - Red Hat Enterprise Linux 7 - - The audit system must take appropriate action when the audit storage volume is full. - - - - - - - - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - - Red Hat Enterprise Linux 7 - - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - - - - - - - - Record Any Attempts to Run setfiles - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Audit rules about the information on the use of setfiles is enabled. - - - - - - - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - kmod - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Audit rules about the information on the use of kmod is enabled. - - - - - - - - - - - - - - - Package openssh-server is version 7.4 or higher - - multi_platform_rhel - multi_platform_fedora - multi_platform_sle - - The RPM package openssh-server is version 7.4 or higher. - - - - - - - - There must be no .shosts files on the system. - - Red Hat Enterprise Linux 7 - - There must be no .shosts files on the system. - - - - - - - - There must be no shosts.equiv files on the system. - - Red Hat Enterprise Linux 7 - - There must be no shosts.equiv files on the system. - - - - - - - - The "ipv6.disable" Kernel Boot Option Check - - Red Hat Enterprise Linux 7 - - The "ip6.disable" kernel boot option should be set to "1". - - - - - - - - - The operating system must have the required packages for multifactor authentication installed. - - Red Hat Enterprise Linux 7 - - The operating system must have the required packages for multifactor authentication installed. - - - - - - - - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication. - - Red Hat Enterprise Linux 7 - - Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - - - - - - - - - The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system. - - - - - - - - Smartcard authentication enabled for graphical user logon. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. - - - - - - - - - - - - - Require authentication upon booting into single-user and maintenance modes. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes. - - - - - - - - RHEL-07-040201 - The Red Hat Enterprise Linux operating system must implement virtual address space randomization. - - Red Hat Enterprise Linux 7 - - Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques. - - - - - - - - - The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. - - Red Hat Enterprise Linux 7 - - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time. - - - - - - - - - - - - - - Audit Kernel Module Creation - create_module - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - The audit rules should be configured to log information about kernel module creation. - - - - - - - - - - - - - - - - - - - - - - - Verify /etc/pam.d/system-auth is included in /etc/pam.d/passwd - - Red Hat Enterprise Linux 7 - - /etc/pam.d/system-auth is included in /etc/pam.d/passwd. - - - - - - - - Set Boot Loader Password (BIOS) for RHEL 7.2 and up - - Red Hat Enterprise Linux 7 - - The grub2 boot loader should have password protection enabled. - - - - - - - - - - - - - - Set the UEFI Boot Loader Password - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - The UEFI grub2 boot loader should have password protection enabled. - - - - - - - - - - - - - - The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon. - - - - - - - - - - - The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full. - - - - - - - - The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server. - - Red Hat Enterprise Linux 7 - - The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server. - - - - - - - - RHEL-07-010119 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - - - - - - - - RHEL-07-010120 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010130 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010140 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010150 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010160 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010170 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010180 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010190 - The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters. - - Red Hat Enterprise Linux 7 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - - - - - - - - RHEL-07-010200 - The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords. - - Red Hat Enterprise Linux 7 - - Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text. - - - - - - - - - RHEL-07-010260 - The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime. - - Red Hat Enterprise Linux 7 - - Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. - - - - - - - - RHEL-07-010280 - The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length. - - Red Hat Enterprise Linux 7 - - The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. - - - - - - - - RHEL-07-020030 - The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly. - - Red Hat Enterprise Linux 7 - - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - - - - - - - - RHEL-07-020100 - The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage. - - Red Hat Enterprise Linux 7 - - USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 - - - - - - - - RHEL-07-020101 - The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. - - Red Hat Enterprise Linux 7 - - Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation. - - - - - - - - RHEL-07-020220 - The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy. - - Red Hat Enterprise Linux 7 - - Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - - - - - - - - RHEL-07-021350 - The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - - Red Hat Enterprise Linux 7 - - Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223 - - - - - - - - RHEL-07-040000 - The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - - Red Hat Enterprise Linux 7 - - Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. - - - - - - - - RHEL-07-040530 - The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon. - - Red Hat Enterprise Linux 7 - - Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/crontab - ^[ \t]*([\S]+[ \t]+[\S]+[ \t]+\*[ \t]+\*[ \t]+[\S]+)[ \t]+root[ \t]+\/usr\/sbin\/aide[ \t]+\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /etc/cron.d - ^.+$ - ^[ \t]*([\S]+[ \t]+[\S]+[ \t]+\*[ \t]+\*[ \t]+[\S]+)[ \t]+root[ \t]+\/usr\/sbin\/aide[ \t]+\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /var/spool/cron/root - ^[ \t]*([\S]+[ \t]+[\S]+[ \t]+\*[ \t]+\*[ \t]+[\S]+)[ \t]+\/usr\/sbin\/aide[ \t]+\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /etc/cron.daily - ^.+$ - ^[ \t]*/usr/sbin/aide[ \t]*\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /etc/cron.weekly - ^.+$ - ^[ \t]*/usr/sbin/aide[ \t]*\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /etc/cron.hourly - ^.+$ - ^[ \t]*/usr/sbin/aide[ \t]*\-\-check(?:[\s]+|[\>\|]|$) - 1 - - - /etc/modprobe.d - .* - ^[ \t]*install[ \t]+dccp[ \t]+/bin/false[ \t]*$ - 1 - - - /etc/modprobe.d - .* - ^[ \t]*blacklist[ \t]+dccp[ \t]*$ - 1 - - - /etc/sysconfig/prelink - ^[\s]*PRELINKING=no[\s]* - 1 - - - /etc/default/grub - ^\s*GRUB_CMDLINE_LINUX="(.*)"$ - 1 - - - /etc/default/grub - ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ - 1 - - - - ^\s*linux(?:[^#\n]*)/vmlinuz([^#\n]*) - 1 - - - /proc/sys/crypto/fips_enabled - ^1$ - 1 - - - /etc/default/grub - ^[^#]*fips=0 - 1 - - - /etc/system-fips - - - /etc/pam.d - password-auth - ^[ \t]*password[ \t]+sufficient[ \t]+pam_unix\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]))sha512(?:[ \t]|$) - 1 - - - /etc/selinux/config - ^\s*SELINUXTYPE\s*=\s*(\w+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23034601 - oval:mil.disa.stig.ind:obj:23034602 - - - - /etc/security/limits.conf - ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - /etc/security/limits.d - .*\.conf$ - ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23034604 - oval:mil.disa.stig.ind:obj:23034605 - - - - /etc/security/limits.conf - ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - /etc/security/limits.d - .*\.conf$ - ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23035701 - oval:mil.disa.stig.ind:obj:23035702 - - - - /etc/security/pwquality.conf - ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23035801 - oval:mil.disa.stig.ind:obj:23035802 - - - - /etc/security/pwquality.conf - ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23035901 - oval:mil.disa.stig.ind:obj:23035902 - - - - /etc/security/pwquality.conf - ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23036001 - oval:mil.disa.stig.ind:obj:23036002 - - - - /etc/security/pwquality.conf - ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23036101 - oval:mil.disa.stig.ind:obj:23036102 - - - - /etc/security/pwquality.conf - ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*maxrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23036201 - oval:mil.disa.stig.ind:obj:23036202 - - - - /etc/security/pwquality.conf - ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*minclass\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23036301 - oval:mil.disa.stig.ind:obj:23036302 - - - - /etc/security/pwquality.conf - ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23036901 - oval:mil.disa.stig.ind:obj:23036902 - - - - /etc/security/pwquality.conf - ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - oval:mil.disa.stig.ind:obj:23037501 - oval:mil.disa.stig.ind:obj:23037502 - - - - /etc/security/pwquality.conf - ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - - /etc/security/pwquality.conf.d - \.conf$ - ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*showfailed\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*silent\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - - - /etc/modprobe.d - .* - ^[ \t]*install[ \t]+usb-storage[ \t]+/bin/false[ \t]*$ - 1 - - - /etc/modprobe.d - .* - ^[ \t]*blacklist[ \t]+usb-storage[ \t]*$ - 1 - - - /etc/pam.d - system-auth - ^[ \t]*password[ \t]+sufficient[ \t]+pam_unix\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]))sha512(?:[ \t]|$) - 1 - - - /etc/pam.d/system-auth - ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$) - 1 - - - aide - - - prelink - - - dracut-fips - - - /sys/fs/selinux - - - redhat-release-client - - - redhat-release-workstation - - - redhat-release-server - - - redhat-release-computenode - - - redhat-release-virtualization-host - - - /etc/redhat-release - ^Red Hat Enterprise Linux release (\d)\.\d+$ - 1 - - - /etc/login.defs - ^[\s]*FAIL_DELAY[\s]+([^#\s]*) - 1 - - - /etc/yum.conf - ^\s*clean_requirements_on_remove\s*=\s*(\S+)\s*$ - 1 - - - /etc/yum.conf - ^\s*localpkg_gpgcheck\s*=\s*(\S+)\s*$ - 1 - - - /etc/cron.allow - - - /etc/ssh/ - ^.*key$ - - - - /etc/ssh/ - ^.*\.pub$ - - - /etc/ssh/sshd_config - ^[\s]*(?i)Compression(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)GSSAPIAuthentication(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)KerberosAuthentication(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)StrictModes(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)MACs[\s]+"?([\w,-@]+)+"?[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)UsePrivilegeSeparation(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/sudoers - ^(?!#).*[\s]+\!\s*authenticate.*$ - 1 - - - /etc/sudoers.d - ^.*$ - ^(?!#).*[\s]+\!\s*authenticate.*$ - 1 - - - /etc/sudoers - ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ - 1 - - - /etc/sudoers.d - ^.*$ - ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ - 1 - - - net.ipv4.conf.all.accept_redirects - - - net.ipv4.conf.all.accept_source_route - - - net.ipv4.conf.all.send_redirects - - - net.ipv4.conf.default.accept_redirects - - - net.ipv4.conf.default.accept_source_route - - - net.ipv4.conf.default.send_redirects - - - net.ipv4.icmp_echo_ignore_broadcasts - - - net.ipv4.ip_forward - - - net.ipv6.conf.all.accept_source_route - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2246 - oval:mil.disa.stig.rhel7:obj:2247 - - - - /etc/sysctl.conf - (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2250 - oval:mil.disa.stig.rhel7:obj:2252 - - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*(\d+)[\s]*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*(\d+)[\s]*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/default/useradd - ^\s*INACTIVE\s*=\s*(\d+)\s*$ - 1 - - - /etc/login.defs - ^\s*CREATE_HOME\s+(\S+)\s*$ - 1 - - - /etc/passwd - ^(?!root:)[^:]*:[^:]*:0 - 1 - - - /etc/pam.d/system-auth - ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[^#\n\r]*remember=([0-9]*).*$ - 1 - - - /etc/profile.d - ^.*\.sh$ - ^[\s]*declare[\s]+-xr[\s]+TMOUT[\s]*=[\s]*([\d]*)[\s]*$ - 1 - - - /usr/lib/systemd/system/auditd.service - ^ExecStartPost=\-\/sbin\/auditctl.*$ - 1 - - - /usr/lib/systemd/system/auditd.service - ^ExecStartPost=\-\/sbin\/augenrules.*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset|-1)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset|-1)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset|-1)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset|-1)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+(-F[\s]+perm=([rwa]*)?x([rwa]*)?[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+(-F[\s]+perm=([rwa]*)?x([rwa]*)?[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w\s+/var/run/faillock/?\s+\-p\s+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-w\s+/var/run/faillock/?\s+\-p\s+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w\s+/var/log/lastlog\s+\-p\s+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-w\s+/var/log/lastlog\s+\-p\s+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+execve\s+\-C\s+uid!=euid\s+\-F\s+euid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+execve\s+\-C\s+gid!=egid\s+\-F\s+egid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+execve\s+\-C\s+uid!=euid\s+\-F\s+euid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/pam_timestamp_check[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/pam_timestamp_check[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/bin\/su[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/bin\/su[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/bin\/umount[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/bin\/umount[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/unix_chkpwd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/unix_chkpwd[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\s*\-f\s*2\s*$ - 1 - - - /etc/audit/audit.rules - ^\s*\-f\s*2\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ - 1 - - - /etc/audit/auditd.conf - ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ - 1 - - - /boot/grub2/grub.cfg - - - /boot/efi/EFI/redhat/grub.cfg - - - - /etc/dconf/db - ^[0-9].*$ - ^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable\s*=\s*true\s*$ - 1 - oval:mil.disa.stig.rhel7:ste:272000 - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?idle-activation-enabled\s*=\s*true\s*$ - 1 - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\[org/gnome/desktop/session\](?:[^\n]*\n+)+?idle-delay\s*=\s*uint32[\s]+([0-9]*) - 1 - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-delay\s*=\s*uint32\s+[0-5]\s*$ - 1 - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-enabled\s*=\s*true\s*$ - 1 - - - - / - - oval:mil.disa.stig.rhel7:ste:2784 - - - /etc/ssh/sshd_config - ^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/dconf/profile/user - ^user-db:user\nsystem-db:local$ - 1 - - - /etc/yum.conf - ^\s*gpgcheck\s*=\s*(\S+)\s*$ - 1 - - - /etc/passwd - ^[^#\s\:]+:[^#\s\:]+:[0-9]+:([0-9]+): - 1 - - - /etc/gdm/custom.conf - ^\[daemon]\n(?!([^\n]*\n+)*\[[^\n\]]*]([^\n]*\n+)*AutomaticLoginEnable[ ]?=[ ]?)([^\n]*\n+)*AutomaticLoginEnable[ ]?=[ ]? - 1 - - - /etc/gdm/custom.conf - ^\[daemon]\n(?!([^\n]*\n+)*\[[^\n\]]*]([^\n]*\n+)*TimedLoginEnable[ ]?=[ ]?)([^\n]*\n+)*TimedLoginEnable[ ]?=[ ]? - 1 - - - /etc/fstab - ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ - 0 - - - /etc/fstab - ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ - 0 - - - /etc/pam.d/system-auth - ^[^#]*\s*nullok\s* - 1 - - - dconf - - - gdm - - - net-snmp - - - openssh-server - - - rsh-server - - - telnet-server - - - tftp-server - - - vsftpd - - - xorg-x11-server-common - - - ypserv - - - /home - - - /var - - - /var/log/audit - - - - .* - .* - .* - .* - .* - ^(|/usr|/usr/local)/(bin|sbin|lib|lib64|libexec)/.+$ - oval:mil.disa.stig.rhel7:ste:3860 - oval:mil.disa.stig.rhel7:ste:8647900 - oval:mil.disa.stig.rhel7:ste:8647901 - - - /etc/libuser.conf - ^[\s]*crypt_style[\s]+=[\s]+(\S+)[\s]*$ - 1 - - - - /etc/snmp/snmpd.conf - ^[\s]*(com2se|rocommunity|rwcommunity|createUser|authcommunity)[^#]*(public|private) - 1 - - - - /etc/ssh/sshd_config - ^\s*Protocol[ \t]+([^\s#]*)[ \t]*(?:#.*)?$ - 1 - - - - /etc/ssh/sshd_config - ^[\s]*PermitEmptyPasswords[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)IgnoreRhosts(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)PermitRootLogin(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)IgnoreUserKnownHosts(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+(\w*)[\s]*(?:|(?:#.*))?$ - 1 - - - - /etc/ssh/sshd_config - ^[\s]*X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/ssh/sshd_config - ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$ - 1 - - - - /etc/ssh/sshd_config - ^[\s]*Ciphers[\s]+(.*) - 1 - - - /etc/sssd/sssd.conf - ^[\s]*\[sssd\]([^\n]*\n+)+?[\s]*services.*pam.*$ - 1 - - - net.ipv6.conf.all.disable_ipv6 - - - /etc/sysctl.conf - ^[\s]*net\.ipv6\.conf\.all\.disable_ipv6[\s]*=[\s]*1[\s]*$ - 1 - - - - - - - /etc/ssh/sshd_config - ^[\s]*MACs[\s]+"?([\w,-@]+)+"?[\s]*(?:|(?:#.*))?$ - 1 - - - /etc/login.defs - ^\s*PASS_MAX_DAYS\s+(\d+)\s*$ - 1 - - - /etc/login.defs - ^\s*PASS_MIN_DAYS\s+(\d+)\s*$ - 1 - - - /etc/login.defs - ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+execve\s+\-C\s+gid!=egid\s+\-F\s+egid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/group - ^[^#\s\:]+:[^#\s\:]*:([0-9]+): - 1 - - - /etc/login.defs - ^\s*ENCRYPT_METHOD\s+(\w+)\s*$ - 1 - - - openssh-server - - - - ^\s*linux(?:[^#\n]*)/vmlinuz([^#\n]*) - 1 - - - /etc/redhat-release - ^Red Hat Enterprise Linux.*release\s+(\S+)\s+ - 1 - - - /etc/sudoers - ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$ - 1 - - - /etc/sudoers.d - ^.*$ - ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$ - 1 - - - /etc/sudoers - ^\s*(?i)Defaults\s+\!targetpw\s*$ - 1 - - - ^/etc/sudoers\.d.* - ^.*$ - ^\s*(?i)Defaults\s+\!targetpw\s*$ - 1 - - - /etc/sudoers - ^\s*(?i)Defaults\s+\!rootpw\s*$ - 1 - - - ^/etc/sudoers\.d.* - ^.*$ - ^\s*(?i)Defaults\s+\!rootpw\s*$ - 1 - - - /etc/sudoers - ^\s*(?i)Defaults\s+\!runaspw\s*$ - 1 - - - ^/etc/sudoers\.d.* - ^.*$ - ^\s*(?i)Defaults\s+\!runaspw\s*$ - 1 - - - - /etc/sudoers - ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - - - - /etc/sudoers.d - ^.*$ - ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:17900 - oval:mil.disa.stig.rhel7:obj:17901 - - - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:25101 - oval:mil.disa.stig.rhel7:obj:25102 - - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+(?:(\-F[\s]+path=\/bin\/mount[\s]+))(-F\s+perm=([rwa]*x[rwa]*)\s+)?(?:-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+(?:(-F[\s]+path=\/usr\/bin\/mount[\s]+))(-F\s+perm=([rwa]*x[rwa]*)\s+)?(?:-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+(?:(\-F[\s]+path=\/bin\/mount[\s]+))(-F\s+perm=([rwa]*x[rwa]*)\s+)?(?:-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+(?:(-F[\s]+path=\/usr\/bin\/mount[\s]+))(-F\s+perm=([rwa]*x[rwa]*)\s+)?(?:-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|-1|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/gdm/custom.conf - ^[ ]*AutomaticLoginEnable[ ]?=[ ]?([^\W]*)[ ]*$ - 1 - - - /etc/gdm/custom.conf - ^[ ]*TimedLoginEnable[ ]?=[ ]?([^\W]*)[ ]*$ - 1 - - - /etc/sssd/conf.d - ^.*\.conf$ - ^[\s]*\[sssd\]([^\n]*\n+)+?[\s]*services.*pam.*$ - 1 - - - /etc/pam.d/password-auth - ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[^#\n\r]*remember=([0-9]*).*$ - 1 - - - /etc/pam.d/password-auth - ^[^#]*\s*nullok\s* - 1 - - - - - - .* - oval:mil.disa.stig.rhel7:ste:8655101 - oval:mil.disa.stig.rhel7:ste:8655102 - - - /etc/shadow - - 1 - - - ^(/usr)?/sbin/automount.* - 1 - - - [\w]+ - - - - oval:mil.disa.stig.rhel7:obj:8663500 - oval:mil.disa.stig.rhel7:ste:8663501 - - - - - oval:mil.disa.stig.rhel7:obj:8663500 - oval:mil.disa.stig.rhel7:ste:8663502 - - - - - - - - - - - - - oval:mil.disa.stig.rhel7:obj:8663501 - oval:mil.disa.stig.rhel7:ste:8663500 - oval:mil.disa.stig.rhel7:ste:8663900 - - - - - oval:mil.disa.stig.rhel7:obj:8663502 - oval:mil.disa.stig.rhel7:ste:8663500 - - - - /etc/mtab - ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ - 0 - - - /etc/fstab - ^\S+\s+/var/log/audit\s+ - 1 - - - /tmp - - - [\00]*\/sbin\/auditd[\00]* - 1 - - - - /etc/audisp/audisp-remote.conf - ^[ ]*remote_server[ ]+=[ ]+(.*) - 1 - - - - /etc/audisp/audisp-remote.conf - ^[ ]*enable_krb5[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - - /etc/audisp/audisp-remote.conf - ^\s*disk_full_action\s+=\s+(\S+)\s*$ - 1 - - - - /etc/audit/auditd.conf - ^[ ]*space_left_action[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+execve\s+\-C\s+uid!=euid\s+\-F\s+euid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+execve\s+\-C\s+gid!=egid\s+\-F\s+egid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+execve\s+\-C\s+uid!=euid\s+\-F\s+euid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/audit.rules - ^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+execve\s+\-C\s+gid!=egid\s+\-F\s+egid=0\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/setfiles[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=(\/usr)?\/sbin\/setfiles[\s]+(-F[\s]+perm=([rwa]*x[rwa]*)[\s]+)?-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|-1|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\-w[\s]+/etc/sudoers\.d/?[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^\-w[\s]+/etc/sudoers\.d/?[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=\/usr\/bin\/kmod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ - 1 - - - /etc/audit/audit.rules - ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=\/usr\/bin\/kmod\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ - 1 - - - - / - .shosts - - - - / - shosts.equiv - - - /proc/cmdline - \bipv6\.disable=1\b - 1 - - - pam_pkcs11 - - - /etc/pam_pkcs11/pam_pkcs11.conf - ^[\s]*cert_policy[ \t]+=[ \t]+([\w\,"' ]+);\s*$ - 1 - - - /etc/pam_pkcs11/pam_pkcs11.conf - ^[\s]*cert_policy[ \t]+=[ \t]+([\w\,"' ]*ocsp_on[\w\,"' ]*);\s*$ - 3 - - - - - ^.*$ - ^/org/gnome/desktop/screensaver/lock-delay$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2765 - oval:mil.disa.stig.rhel7:ste:8780700 - - - - /etc/mtab - ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ - 0 - - - /etc/audisp/audisp-remote.conf - (?i)^\s*network_failure_action[ ]*=[ ]*([\w]+)\s* - 1 - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\s*\[org/gnome/login-screen\](?:[^\n]*\n+)+?enable-smartcard-authentication\s*=\s*(\w+)\s*$ - 1 - - - /usr/lib/systemd/system - rescue.service - ^\s*ExecStart=([^\n#]+)$ - 1 - - - kernel.randomize_va_space - - - - \.conf$ - ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:9252101 - oval:mil.disa.stig.rhel7:obj:9252102 - - - - - /etc/dconf/db/ - ^[0-9].*$ - ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?idle-activation-enabled\s*=\s*(?:true|false)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:9370300 - oval:mil.disa.stig.rhel7:ste:9370300 - - - - - - ^.*$ - ^/org/gnome/desktop/screensaver/idle-activation-enabled\s*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/rules.d - .*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ - 1 - - - /etc/pam.d - passwd - ^[\s]*password[ \t]+substack[ \t]+system-auth\s*$ - 1 - - - /boot/grub2/user.cfg - ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ - 1 - - - /boot/grub2/grub.cfg - ^[\s]*set[\s]+superusers=\"\S+\"\s*$ - 1 - - - /boot/efi/EFI/redhat/user.cfg - ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ - 1 - - - /boot/efi/EFI/redhat/grub.cfg - ^[\s]*set[\s]+superusers=\"\S+\"$ - 1 - - - - /etc/audisp/plugins.d/au-remote.conf - ^[ ]*active[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - - /etc/audisp/plugins.d/au-remote.conf - ^[ ]*direction[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - - /etc/audisp/plugins.d/au-remote.conf - ^[ ]*path[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - - /etc/audisp/plugins.d/au-remote.conf - ^[ ]*type[ ]+=[ ]+([^ ]*)[ ]*$ - 1 - - - /etc/audisp/audispd.conf - (?i)^\s*overflow_action[ ]*=[ ]*([\w]+)\s* - 1 - - - /etc/audisp/audispd.conf - (?i)^\s*name_format[ ]*=[ ]*([\w]+)\s* - 1 - - - - oval:mil.disa.stig.rhel7:obj:2255 - oval:mil.disa.stig.rhel7:obj:20461201 - - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2279 - oval:mil.disa.stig.rhel7:obj:20461301 - - - - - ^.*\.conf$ - (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2221 - oval:mil.disa.stig.rhel7:obj:20461501 - - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2275 - oval:mil.disa.stig.rhel7:obj:20461601 - - - - - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*(\d+)[\s]*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2289 - oval:mil.disa.stig.rhel7:obj:20462501 - - - - - ^.*\.conf$ - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*(\d+)[\s]*$ - 1 - - - - oval:mil.disa.stig.rhel7:obj:2308 - oval:mil.disa.stig.rhel7:obj:20463001 - - - - - \.conf$ - ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - .+ - oval:mil.disa.stig.unix:ste:23036702 - - - .* - oval:mil.disa.stig.unix:ste:23036704 - oval:mil.disa.stig.unix:ste:23036703 - - - root - - - - - 0 - - - ^[123]$ - - - 0 - - - ((?:[0-5]?[0-9]|\*)[ \t]+(?:[01]?[0-9]|2[0-3]|\*)[ \t]+\*[ \t]+\*[ \t]+(?:[0-7]|sun|mon|tue|wed|thu|fri|sat)) - - - ((?:[0-5]?[0-9]|\*)[ \t]+(?:[01]?[0-9]|2[0-3])[ \t]+\*[ \t]+\*[ \t]+(?:[0-7]|sun|mon|tue|wed|thu|fri|sat|\*)) - - - ((?:[0-5]?[0-9])[ \t]+(?:[01]?[0-9]|2[0-3]|\*)[ \t]+\*[ \t]+\*[ \t]+(?:[0-7]|sun|mon|tue|wed|thu|fri|sat|\*)) - - - ^(.* )?fips=1( .*)?$ - - - targeted - - - 10 - - - 4 - - - 3 - - - 4 - - - 8 - - - 15 - - - selinuxfs - - - ^7.*$ - - - ^7.*$ - - - ^7.*$ - - - ^7.*$ - - - 7 - - - - - - ^(1|True|yes)$ - - - 0 - - - 0 - - - false - false - false - false - false - false - false - false - false - - - false - false - false - false - false - false - false - false - - - ^hmac-sha2-512,hmac-sha2-256$ - - - 0 - - - 0 - - - 0 - - - 0 - - - - - - 0 - - - - - - 0 - - - 0 - - - 1 - - - 35 - - - 0 - - - yes - - - - - - - - - - - - 900 - - - - - - - - - 1000 - true - - - - - - ^.*noexec.*$ - - - ^.*nosuid.*$ - - - ^[Ss][Hh][Aa]512$ - - - SHA512 - - - - - - 0 - - - 0 - - - ^"?(aes256-ctr,aes192-ctr,aes128-ctr)"?[\s]*(?:|(?:#.*))?$ - - - 1 - - - ppc64 - - - ppc64le - - - x86_64 - - - fail - - - ^(1|True|yes)$ - - - 7.9 - - - 0 - - - 0 - - - 0 - - - 0 - - - 077 - - - no - - - 1 - - - ^[Ff][Aa][Ll][Ss][Ee]$ - - - ^[Ff][Aa][Ll][Ss][Ee]$ - - - ^(2|"2")$ - - - ^(no|"no")$ - - - no - - - ^(no|"no")$ - - - ^/etc/dconf/db/[^/]+\.d/?$ - - - true - - - true - - - 1 - - - 1000 - - - - - - 7.0 - - - 7.1 - - - 7.2 - - - 7.3 - - - .+ - - - 1000 - - - 0 - - - / - - - ^.+$ - - - ^[Yy][Ee][Ss]$ - - - ^[Ss][Yy][Ss][Ll][Oo][Gg]$ - - - ^[Ss][Ii][Nn][Gg][Ll][Ee]$ - - - ^[Hh][Aa][Ll][Tt]$ - - - ^[Ee][Mm][Aa][Ii][Ll]$ - - - no - - - yes - - - ^yes$|^"yes"$ - - - no - - - yes - - - 0:7.4p1-0 - - - no - - - no - - - yes - - - sandbox - - - yes - - - ^(no|delayed)$ - - - ^[^#]*\bipv6\.disable=1\b - - - ^["']*ocsp_on["']*$|^["']*ocsp_on["',\s]|["',\s]ocsp_on["',\s]|["',\s]ocsp_on["']*$ - - - - - - (?i)^syslog|single|halt$ - - - ^true$ - - - ^false$ - - - ['"; ]*\/usr\/sbin\/sulogin['"; ]* - - - 2 - - - 2 - - - - - - ^[Yy][Ee][Ss]$ - - - ^[Oo][Uu][Tt]$ - - - ^\/sbin\/audisp\-remote$ - - - ^[Aa][Ll][Ww][Aa][Yy][Ss]$ - - - (?i)^syslog|single|halt$ - - - (?i)^hostname|fqd|numeric$ - - - 0 - - - 0 - - - 0 - - - 60 - - - - - - - - - 1000 - - - - - /boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg - - - - ^ - - - - - 65534 - 65535 - 4294967294 - 4294967295 - - - - - - - - - - - - - - - - - - - - /boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg - - - /etc/sysctl.d - /run/sysctl.d - /lib/sysctl.d - /usr/lib/sysctl.d - /usr/local/lib/sysctl.d - - - /etc/sysctl.d - /run/sysctl.d - /lib/sysctl.d - /usr/lib/sysctl.d - /usr/local/lib/sysctl.d - - - /etc/sysctl.d - /run/sysctl.d - /lib/sysctl.d - /usr/lib/sysctl.d - /usr/local/lib/sysctl.d - - - /etc/sysctl.d - /run/sysctl.d - /lib/sysctl.d - /usr/lib/sysctl.d - /usr/local/lib/sysctl.d - - - - - - 65534 - 65535 - 4294967294 - 4294967295 - - - - ^ - - :[^:]*:[^:]*:: - - - - - - - - - - - - - - - - - /locks - - - - /etc/sysctl.d - /run/sysctl.d - /usr/local/lib/sysctl.d - /usr/lib/sysctl.d - /lib/sysctl.d - - - - - - - - - - /locks - - - - - - - - - repotool - 5.10 - 2023-12-27T23:04:39 - - - - - RHEL 7 is installed - - Red Hat Enterprise Linux 7 - - - RHEL 7 is installed - - - - - - - - - - - - - - - redhat-release-(client|workstation|server|computenode|virtualization-host) - - - - - ^7\.\d+$ - - - - - diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index 0edc5c73283..54a8cb3134d 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 21121564e81..02d0292afe6 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_all diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template index 617df29299d..9eb661e305c 100644 --- a/shared/templates/audit_rules_privileged_commands/oval.template +++ b/shared/templates/audit_rules_privileged_commands/oval.template @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} {{%- endif %}} diff --git a/shared/templates/audit_rules_privileged_commands/tests/common.sh b/shared/templates/audit_rules_privileged_commands/tests/common.sh index c8551b9a8bf..71ba70ee1ba 100644 --- a/shared/templates/audit_rules_privileged_commands/tests/common.sh +++ b/shared/templates/audit_rules_privileged_commands/tests/common.sh @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} perm_x="-F perm=x" {{%- endif %}} diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template index 141039a567c..416bfc1d317 100644 --- a/shared/templates/grub2_bootloader_argument/oval.template +++ b/shared/templates/grub2_bootloader_argument/oval.template @@ -22,7 +22,7 @@ {{% set system_with_kernel_options_in_grubenv = true %}} {{%- endif -%}} -{{% if product in ["ol7", "rhel7"] or 'ubuntu' in product -%}} +{{% if product in ["ol7"] or 'ubuntu' in product -%}} {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}} {{%- endif -%}} @@ -210,7 +210,7 @@ {{{ path }}} - {{% if product in ["ol7", "rhel7"] or 'ubuntu' in product %}} + {{% if product in ["ol7"] or 'ubuntu' in product %}} ^.*/vmlinuz.*(root=.*)$ {{% else %}} ^set default_kernelopts=(.*)$ diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template index 5a4d87864b1..a65e13b6940 100644 --- a/shared/templates/grub2_bootloader_argument_absent/oval.template +++ b/shared/templates/grub2_bootloader_argument_absent/oval.template @@ -21,7 +21,7 @@ {{% set system_with_kernel_options_in_grubenv = true %}} {{%- endif -%}} -{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product -%}} +{{% if product in ["ol7"] or 'ubuntu' in product -%}} {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}} {{%- endif -%}} @@ -159,7 +159,7 @@ {{{ path }}} - {{% if product in ["rhel7"] or 'ubuntu' in product %}} + {{% if 'ubuntu' in product %}} ^.*/vmlinuz.*(root=.*)$ {{% else %}} ^set default_kernelopts=(.*)$ diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh index 46ca336235a..fc3db8ccd5e 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_rhel # packages = grub2-tools,grubby # Adds argument from kernel command line in /etc/default/grub diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh index e5ce738c392..e51f669fdb9 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_rhel # packages = grub2-tools,grubby # Adds argument with a value from kernel command line in /etc/default/grub diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh index 511a643359d..9eda415667a 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10 # packages = grub2,grubby # Ensure the kernel command line for each installed kernel in the bootloader diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh index 24936609706..bbf97fa2ac0 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=3" --update diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh index 34405f59422..cb1ca930499 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=5" --update diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index dbc12db6b9f..51d94b3333b 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # remediation = none # variables = var_accounts_passwords_pam_faillock_deny=3 diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh index b780f320362..e3ec96da080 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,11 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect # remediation = none -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_deny=3 # This test scenario manually modify the pam_faillock.so entries in auth section from diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh index 03f93edaa4f..54729a3144b 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authconfig -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Oracle Linux 7,multi_platform_fedora # variables = var_accounts_passwords_pam_faillock_deny=3 authconfig --enablefaillock --faillockargs="deny=2" --update diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index b6d23494c6b..607b305618c 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -11,15 +11,15 @@ - "/run/sysctl.d/" - "/etc/sysctl.d/" - "/usr/local/lib/sysctl.d/" - - "/lib/sysctl.d/" -{{% else %}} + - "/lib/sysctl.d/" +{{% else %}} find: paths: - "/etc/sysctl.d/" - "/run/sysctl.d/" - "/usr/local/lib/sysctl.d/" {{% endif %}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} - "/usr/lib/sysctl.d/" {{% endif %}} contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 0130f6d80b5..887adae43cf 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -7,7 +7,7 @@ # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files {{% if product in [ "sle12", "sle15"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do -{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}} +{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do {{% else %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 557aea4b49c..3e07db13ddc 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -188,7 +188,7 @@ object_static_etc_sysctls_{{{ rule_id }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}} +{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}} object_static_lib_sysctld_{{{ rule_id }}} {{% endif %}} @@ -235,7 +235,7 @@ ^.*\.conf$ {{{ sysctl_match() }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}} +{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "ubuntu2004", "ubuntu2204"] or 'rhel' in product %}} /lib/sysctl.d ^.*\.conf$ diff --git a/ssg/constants.py b/ssg/constants.py index 14c6cb5d5f3..0ba110e5cad 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -55,7 +55,7 @@ 'openeuler2203', 'opensuse', 'openembedded', - 'rhel7', 'rhel8', 'rhel9', 'rhel10', + 'rhel8', 'rhel9', 'rhel10', 'rhv4', 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204', @@ -216,7 +216,6 @@ "Oracle Linux 9": "ol9", "openEuler 2203": "openeuler2203", "openSUSE": "opensuse", - "Red Hat Enterprise Linux 7": "rhel7", "Red Hat Enterprise Linux 8": "rhel8", "Red Hat Enterprise Linux 9": "rhel9", "Red Hat Enterprise Linux 10": "rhel10", @@ -295,7 +294,7 @@ "multi_platform_ol": ["ol7", "ol8", "ol9"], "multi_platform_ocp": ["ocp4"], "multi_platform_rhcos": ["rhcos4"], - "multi_platform_rhel": ["rhel7", "rhel8", "rhel9", "rhel10"], + "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"], "multi_platform_rhv": ["rhv4"], "multi_platform_sle": ["sle12", "sle15"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], @@ -304,16 +303,11 @@ } RHEL_CENTOS_CPE_MAPPING = { - "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7", "cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8", "cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9", "cpe:/o:redhat:enterprise_linux:10": "cpe:/o:centos:centos:10", } -RHEL_SL_CPE_MAPPING = { - "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:scientificlinux:scientificlinux:7", -} - CENTOS_NOTICE = \ "
\n" \ "

This benchmark is a direct port of a SCAP Security Guide " \ @@ -349,46 +343,6 @@ ".

" \ "
" -SL_NOTICE = \ - "
\n" \ - "

This benchmark is a direct port of a SCAP Security Guide " \ - "benchmark developed for Red Hat Enterprise Linux. It has been " \ - "modified through an automated process to remove specific dependencies " \ - "on Red Hat Enterprise Linux and to function with Scientifc Linux. " \ - "The result is a generally useful SCAP Security Guide benchmark " \ - "with the following caveats:

\n" \ - "
    \n" \ - "
  • Scientifc Linux is not an exact copy of " \ - "Red Hat Enterprise Linux. Scientific Linux is a Linux distribution " \ - "produced by Fermi National Accelerator Laboratory. It is a free and " \ - "open source operating system based on Red Hat Enterprise Linux and aims " \ - "to be \"as close to the commercial enterprise distribution as we can get it.\" " \ - "There may be configuration differences that produce false positives and/or " \ - "false negatives. If this occurs please file a bug report.
  • \n" \ - "\n" \ - "
  • Scientifc Linux is derived from the free and open source software " \ - "made available by Red Hat, but it is not produced, maintained or supported by Red Hat. " \ - "Scientifc Linux has its own build system, compiler options, patchsets, " \ - "and is a community supported, non-commercial operating system. " \ - "Scientifc Linux does not inherit " \ - "certifications or evaluations from Red Hat Enterprise Linux. As " \ - "such, some configuration rules (such as those requiring " \ - "FIPS 140-2 encryption) will continue to fail on Scientifc Linux.
  • \n" \ - "
\n" \ - "\n" \ - "

Members of the Scientifc Linux community are invited to participate in " \ - "OpenSCAP and " \ - "" \ - "SCAP Security Guide development. Bug reports and patches " \ - "can be sent to GitHub: " \ - "" \ - "https://github.com/ComplianceAsCode/content. " \ - "The mailing list is at " \ - "" \ - "https://fedorahosted.org/mailman/listinfo/scap-security-guide" \ - ".

" \ - "
" - XCCDF_REFINABLE_PROPERTIES = ["weight", "severity", "role", "selector"] OVAL_TO_XCCDF_DATATYPE_CONSTRAINTS = { @@ -512,11 +466,9 @@ class OvalNamespaces: OVAL_NAMESPACES = OvalNamespaces() DERIVATIVES_PRODUCT_MAPPING = { - "centos7": "rhel7", "centos8": "rhel8", "cs9": "rhel9", "cs10": "rhel10", - "sl7": "rhel7" } BENCHMARKS = { diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index b819203fcbf..8786f446d8a 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -218,7 +218,7 @@ if(PYTHON_VERSION_MAJOR GREATER 2 AND PYTHON_VERSION_MINOR GREATER 6) if(PY_PROMETHEUS_CLIENT) add_test( NAME "test-controleval-prometheus-metrics" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval_metrics.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "prometheus" "--products" "fedora" "ol9" "rhel7" "rhel8" "rhel9" "sle15" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval_metrics.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "prometheus" "--products" "fedora" "ol9" "rhel8" "rhel9" "rhel10" "sle15" ) set_tests_properties("test-controleval-prometheus-metrics" PROPERTIES LABELS quick) endif() @@ -262,10 +262,6 @@ if(PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL8) stig_srg_mapping_test("rhel8") endif() -if(PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL7) - stig_srg_mapping_test("rhel7") -endif() - macro(ssg_controlrefcheck_test PRODUCT CONTROL KEY) if(PYTHON_VERSION_MAJOR GREATER 2) add_test( @@ -278,9 +274,6 @@ macro(ssg_controlrefcheck_test PRODUCT CONTROL KEY) endif() endmacro() -if(SSG_PRODUCT_RHEL7) - ssg_controlrefcheck_test("rhel7" "cis_rhel7" "cis") -endif() if(SSG_PRODUCT_RHEL8) ssg_controlrefcheck_test("rhel8" "cis_rhel8" "cis") endif() @@ -340,7 +333,7 @@ macro(cce_avail_check TEST_NAME_SUFFIX PRODUCTS CCE_LIST_PATH) endif() endmacro() -cce_avail_check("rhel-all" "rhel7,rhel8,rhel9,rhel10" "${CMAKE_SOURCE_DIR}/shared/references/cce-redhat-avail.txt") +cce_avail_check("rhel-all" "rhel8,rhel9,rhel10" "${CMAKE_SOURCE_DIR}/shared/references/cce-redhat-avail.txt") cce_avail_check("sle12" "sle12" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle12-avail.txt") cce_avail_check("sle15" "sle15" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle15-avail.txt") diff --git a/tests/README.md b/tests/README.md index d6540ea05cf..c0a9b5ec056 100644 --- a/tests/README.md +++ b/tests/README.md @@ -172,7 +172,7 @@ The header consists of comments (starting by `#`). Possible keys are: for any platform-specific names in the `platform_package_overrides` field. - `platform` is a comma-separated list of platforms where the test scenario can be run. This is similar to `platform` used in our remediations. Examples of - values: `multi_platform_rhel`, `Red Hat Enterprise Linux 7`, + values: `multi_platform_rhel`, `Red Hat Enterprise Linux 10`, `multi_platform_all`. If `platform` is not specified in the header, `multi_platform_all` is assumed. - `profiles` is a comma-separated list of profiles to which this scenario is @@ -205,7 +205,7 @@ Using `platform` and `variables` metadata: ```bash #!/bin/bash -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # variables = auth_enabled=yes,var_example_1=value_example echo "KerberosAuthentication $auth_enabled" >> /etc/ssh/sshd_config diff --git a/tests/data/product_stability/rhel7.yml b/tests/data/product_stability/rhel7.yml deleted file mode 100644 index 15b6418f67d..00000000000 --- a/tests/data/product_stability/rhel7.yml +++ /dev/null @@ -1,110 +0,0 @@ -aide_also_checks_audispd: 'no' -aide_also_checks_rsyslog: 'yes' -aide_bin_path: /usr/sbin/aide -aide_conf_path: /etc/aide.conf -audisp_conf_path: /etc/audisp -auid: 1000 -aux_pkg_release: 45700c69 -aux_pkg_version: 2fa658e0 -auxiliary_key_fingerprint: 43A6E49C4A38F4BE9ABF2A5345689C882FA658E0 -basic_properties_derived: true -benchmark_id: RHEL-7 -benchmark_root: ../../linux_os/guide -centos_major_version: '7' -centos_pkg_release: 53a7ff4b -centos_pkg_version: f4a80eb5 -chrony_conf_path: /etc/chrony.conf -chrony_d_path: /etc/chrony.d/ -components_root: ../../components -cpes: -- rhel7: - check_id: installed_OS_is_rhel7 - name: cpe:/o:redhat:enterprise_linux:7 - title: Red Hat Enterprise Linux 7 -- rhel7-server: - check_id: installed_OS_is_rhel7 - name: cpe:/o:redhat:enterprise_linux:7::server - title: Red Hat Enterprise Linux 7 Server -- rhel7-client: - check_id: installed_OS_is_rhel7 - name: cpe:/o:redhat:enterprise_linux:7::client - title: Red Hat Enterprise Linux 7 Client -- rhel7-computenode: - check_id: installed_OS_is_rhel7 - name: cpe:/o:redhat:enterprise_linux:7::computenode - title: Red Hat Enterprise Linux 7 ComputeNode -- rhel7-workstation: - check_id: installed_OS_is_rhel7 - name: cpe:/o:redhat:enterprise_linux:7::workstation - title: Red Hat Enterprise Linux 7 Workstation -cpes_root: ../../shared/applicability -dconf_gdm_dir: gdm.d -faillock_path: /var/run/faillock -families: -- rhel -- rhel-like -full_name: Red Hat Enterprise Linux 7 -gid_min: 1000 -groups: - dedicated_ssh_keyowner: - name: ssh_keys -grub2_boot_path: /boot/grub2 -grub2_uefi_boot_path: /boot/efi/EFI/redhat -grub_helper_executable: grubby -init_system: systemd -major_version_ordinal: 7 -nobody_gid: 65534 -nobody_uid: 65534 -pkg_manager: yum -pkg_manager_config_file: /etc/yum.conf -pkg_release: 4ae0493b -pkg_system: rpm -pkg_version: fd431d51 -platform_package_overrides: - aarch64_arch: null - grub2: grub2-common - login_defs: shadow-utils - no_ovirt: null - non-uefi: null - not_aarch64_arch: null - not_s390x_arch: null - openssl-pkcs11: pam_pkcs11 - ovirt: null - s390x_arch: null - sssd: sssd-common - sssd-ldap: null - uefi: null - zipl: s390utils-base -product: rhel7 -profiles_root: ./profiles -reference_uris: - anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform - bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf - cis: https://www.cisecurity.org/benchmark/red_hat_linux/ - cis-csc: https://www.cisecurity.org/controls/ - cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf - cobit5: https://www.isaca.org/resources/cobit - cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf - dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ - hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf - isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat - isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu - ism: https://www.cyber.gov.au/acsc/view-all-content/ism - iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx - nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf - nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os - ospp: https://www.niap-ccevs.org/Profile/PP.cfm - pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ -release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 -sshd_distributed_config: 'false' -sysctl_remediate_drop_in_file: 'false' -type: platform -uid_min: 1000 diff --git a/tests/install_vm.py b/tests/install_vm.py index b8eca5072b3..db460aa2c3f 100755 --- a/tests/install_vm.py +++ b/tests/install_vm.py @@ -13,7 +13,6 @@ "centos7", "centos8", "centos9", - "rhel7", "rhel8", "rhel9", ] @@ -21,7 +20,6 @@ DISTRO_URL = { "fedora": "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Everything/x86_64/os", - "centos7": "http://mirror.centos.org/centos/7/os/x86_64", "centos8": "http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/", "centos9": "http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/", } diff --git a/tests/ssg_test_suite/common.py b/tests/ssg_test_suite/common.py index c3a0288aac5..a6ff30e8bed 100644 --- a/tests/ssg_test_suite/common.py +++ b/tests/ssg_test_suite/common.py @@ -571,7 +571,6 @@ def get_cpe_of_tested_os(test_env, log_file): ol7=("yum", "install", "-y"), ol8=("yum", "install", "-y"), ol9=("yum", "install", "-y"), - rhel7=("yum", "install", "-y"), rhel8=("yum", "install", "-y"), rhel9=("yum", "install", "-y"), rhel10=("dnf", "install", "-y"), diff --git a/tests/unit/ssg-module/test_playbook_builder_data/applicability/derivatives.yml b/tests/unit/ssg-module/test_playbook_builder_data/applicability/derivatives.yml index e980f9c1c5c..6cc6184f6b3 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/applicability/derivatives.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/applicability/derivatives.yml @@ -1,17 +1,6 @@ cpes: - - - centos7: - name: "cpe:/o:centos:centos:7" - title: "CentOS 7" - check_id: installed_OS_is_centos7 - - centos8: name: "cpe:/o:centos:centos:8" title: "CentOS 8" check_id: installed_OS_is_centos8 - - sl7: - name: "cpe:/o:scientificlinux:scientificlinux:7" - title: "Scientific Linux 7" - check_id: installed_OS_is_sl7 - diff --git a/tests/unit/ssg-module/test_products.py b/tests/unit/ssg-module/test_products.py index d61a06d9859..5594c45e70b 100644 --- a/tests/unit/ssg-module/test_products.py +++ b/tests/unit/ssg-module/test_products.py @@ -50,8 +50,8 @@ def test_get_all(ssg_root): assert "fedora" in products.linux assert "fedora" not in products.other - assert "rhel7" in products.linux - assert "rhel7" not in products.other + assert "rhel10" in products.linux + assert "rhel10" not in products.other assert "firefox" in products.other assert "firefox" not in products.linux diff --git a/tests/unit/ssg_test_suite/test_matches_platform.py b/tests/unit/ssg_test_suite/test_matches_platform.py index 8fdcbe11b61..a1dcb011e78 100644 --- a/tests/unit/ssg_test_suite/test_matches_platform.py +++ b/tests/unit/ssg_test_suite/test_matches_platform.py @@ -4,53 +4,53 @@ def test_simple_match(): - scenario_platforms = ["Red Hat Enterprise Linux 7"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + scenario_platforms = ["Red Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_simple_no_match(): - scenario_platforms = ["Red Hat Enterprise Linux 7"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:8"} + scenario_platforms = ["Red Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:9"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is False def test_multi_platform_all(): scenario_platforms = ["multi_platform_all"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_multi_platform_match(): scenario_platforms = ["multi_platform_rhel"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_multi_platform_no_match(): scenario_platforms = ["multi_platform_fedora"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is False def test_list_simple_match_first(): - scenario_platforms = ["Red Hat Enterprise Linux 7", - "Red Hat Enterprise Linux 8"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + scenario_platforms = ["Red Hat Enterprise Linux 9", + "Red Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:9"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_list_simple_match_second(): - scenario_platforms = ["Red Hat Enterprise Linux 7", - "Red Hat Enterprise Linux 8"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:8"} + scenario_platforms = ["Red Hat Enterprise Linux 9", + "Red Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_list_simple_no_match(): - scenario_platforms = ["Red Hat Enterprise Linux 7", - "Red Hat Enterprise Linux 8"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:9"} + scenario_platforms = ["Red Hat Enterprise Linux 8", + "Red Hat Enterprise Linux 9"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is False @@ -93,33 +93,25 @@ def test_list_combined_no_match(): assert common.matches_platform(scenario_platforms, benchmark_cpes) is False -def test_simple_multiple_benchmark_cpes(): - scenario_platforms = ["Red Hat Enterprise Linux 7"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7", - "cpe:/o:redhat:enterprise_linux:7::client", - "cpe:/o:redhat:enterprise_linux:7::computenode"} - assert common.matches_platform(scenario_platforms, benchmark_cpes) is True - - def test_simple_multiple_unrelated_benchmark_cpes(): - scenario_platforms = ["Red Hat Enterprise Linux 7"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7", - "cpe:/o:redhat:enterprise_linux:8"} + scenario_platforms = ["Red Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:9", + "cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_simple_multiple_bogus_benchmark_cpes(): - scenario_platforms = ["Red Hat Enterprise Linux 7"] + scenario_platforms = ["Red Hat Enterprise Linux 10"] benchmark_cpes = {"cpe:/o:abcdef:ghijklm:42" "cpe:/o:zzzzz:xxxx:77", - "cpe:/o:redhat:enterprise_linux:7"} + "cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is True def test_simple_multiple_bogus_benchmark_cpes_no_match(): scenario_platforms = ["Fedora"] benchmark_cpes = {"cpe:/o:abcdef:ghijklm:42" "cpe:/o:zzzzz:xxxx:77", - "cpe:/o:redhat:enterprise_linux:7"} + "cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is False @@ -127,13 +119,13 @@ def test_multiple_multiple_bogus_benchmark_cpes_no_match(): scenario_platforms = ["Fedora", "openSUSE"] benchmark_cpes = {"cpe:/o:abcdef:ghijklm:42" "cpe:/o:zzzzz:xxxx:77", - "cpe:/o:redhat:enterprise_linux:7"} + "cpe:/o:redhat:enterprise_linux:10"} assert common.matches_platform(scenario_platforms, benchmark_cpes) is False def test_typo(): - scenario_platforms = ["Rrd Hat Enterprise Linux 7"] - benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:7"} + scenario_platforms = ["Rrd Hat Enterprise Linux 10"] + benchmark_cpes = {"cpe:/o:redhat:enterprise_linux:10"} with pytest.raises(ValueError): common.matches_platform(scenario_platforms, benchmark_cpes) diff --git a/tests/unit/ssg_test_suite/test_rule.py b/tests/unit/ssg_test_suite/test_rule.py index cecb241ae40..8e97fd8310b 100644 --- a/tests/unit/ssg_test_suite/test_rule.py +++ b/tests/unit/ssg_test_suite/test_rule.py @@ -38,13 +38,14 @@ def test_scenario(): assert s.matches_regex(r"^correct.*") assert not s.matches_regex(r".*fail\.sh") assert not s.matches_regex(r"^wrong") - assert s.matches_platform({"cpe:/o:redhat:enterprise_linux:7"}) + assert s.matches_platform({"cpe:/o:redhat:enterprise_linux:10"}) assert not s.matches_platform({"cpe:/o:debian:debian:8"}) assert s.matches_check({"oval"}) assert not s.matches_check({"sce"}) assert not s.matches_check({"fancy_unsupported_language"}) assert not s.matches_check({}) + def test_scenario_defaults(): file_name = "correct_defaults.pass.sh" file_contents = open(os.path.join(DATADIR, file_name)).read() @@ -63,8 +64,8 @@ def test_scenario_defaults(): assert len(s.script_params["remediation"]) == 1 assert "all" in s.script_params["remediation"] assert len(s.script_params["variables"]) == 0 - assert s.matches_platform({"cpe:/o:redhat:enterprise_linux:7"}) - assert s.matches_platform({"cpe:/o:debian:debian:8"}) + assert s.matches_platform({"cpe:/o:redhat:enterprise_linux:10"}) + assert s.matches_platform({"cpe:/o:debian:debian:12"}) s.override_profile("xccdf_org.ssgproject.content_profile_cis") assert "xccdf_org.ssgproject.content_profile_cis" in \ s.script_params["profiles"] diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index e9a7a961861..e3c4bc4ae19 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -63,7 +63,6 @@ def dict_constructor(loader, node): # End arcaduf gist PRODUCT_ALLOWLIST = set([ - "rhel7", "rhel8", "rhel9", ])