-
Notifications
You must be signed in to change notification settings - Fork 705
RHEL7 STIG Settings Review
The first step in authoring the RHEL7 STIG is to determine which requirements are applicable to RHEL. As you skim the RHEL7 STIG Requirements (.xlsx), please indicate if any are not applicable, questionable, or infeasible. Additionally, if you've ideas on settings which should be included (but not specifically called out in the SRG), please list them below.
Please add to this list, and do not delete. We'll discuss these sections on TBD community calls, where decisions can be made in a collaborative nature.
Use the "CCI-*" value to reference the control.
RHEL 7 cannot support these requirement without assistance from an external application, policy, or service. These requirements will be "not applicable," and likely have no correlation with an operating system.
- CCI-001662: The operating system is not an antivirus provider
The following requirements cannot be configured to be out of compliance. These should be "permanent not a finding"
- CCI-000015: support for automated account management (SRG-OS-000001-GPOS-00001)
- CCI-000018: audit account creation
- CCI-000056: session lock until reauthentication
- CCI-000067: audit records events whether local or remotely issued
- CCI-000162: protect audit logs from unauth access
- CCI-000163: protect audit logs from unauth modification
- CCI-000164: protect audit logs from unauth deletion
- CCI-000171: audit rules manipulated by priv users only
- CCI-000172: audit login attempts
- CCI-000185: pki auth follows x.509 standard
- CCI-000186: private key protection when using PKI
- CCI-000187: map authenticated identities to system user
- CCI-000206: obscure passwords during login
- CCI-000213: OS enforce DAC/MAC
- CCI-000770: login with individual auth before group auth
- CCI-000764: accounts have unique identifiers
- CCI-000804: unique identifiers for accounts (e.g. UIDS)
- CCI-001082: concept of priv users
- CCI-001084: isolate security functions from non-security functions
- CCI-001090: OS support for MAC/DAC
- CCI-001133: once user logs out, network sessions associated with user login are terminated automatically
- CCI-001310: input validation checking
- CCI-001314: reveal error messages only to sysadmins
- CCI-001368: OS must enforce MAC/DAC
- CCI-001462: capability for full session auditing
- CCI-001499: OS limits software installation/manipulation to priv users
- CCI-001082: run level 1 provides unique sys mgmt facility
- CCI-001812: software install requires prig status
- CCI-001813: OS enforces access restrictions
- CCI-002007: cached authenticators
- CCI-002041: capability for temp passwords
- CCI-002142: group access removed when user removed from group
- CCI-002322: capability to kill sessions
- CCI-002363: OS provides logout capability
- CCI-002891: full session termination upon logout
- CCI-000130: audit records include info on event type
- CCI-000131: audit records include info on date & time of event
- CCI-000132: audit records include info on where events occurred
- CCI-000133: audit records include info on source of events (e.g. process/UID)
- CCI-000134: audit records include info on outcome of event
- CCI-000135: audit records include commands or individual identities of event
- CCI-000154: capability to centrally review audit info
- CCI-000158: capability to filter audit records for events of interest
- CCI-000159: audit records include time stamp from internal system clock
- CCI-000166: audit records natively include information on event initiator (process ID, UID, etc)
- CCI-00172: audit login/logoff attempts (SRG-OS-000470)
- CCI-00172: audit login/logoff attempts (SRG-OS-000472)
- CCI-00172: audit concurrent logins (SRG-OS-000473)
- CCI-00172: audit access attempts (SRG-OS-000475)
- CCI-00172: audit account creation/disable/mods (SRG-OS-000476)
- CCI-001312: audit events contain minimal information necessary for corrective actions
- CCI-001403: audit account modification
- CCI-001404: audit account disabling
- CCI-001405: audit account removal
- CCI-001487: audit info includes identity info
- CCI-001496: crypto checksum on audit tools
- CCI-001683: notify sysadmin on account creation
- CCI-001684: notify sysadmin on account modification
- CCI-001685: notify sysadmin on account disable
- CCI-001686: notify sysadmin on account removal
- CCI-001858: realtime event alerting
- CCI-001875: audit reduction capability
- CCI-001877: audit reduction capability
- CCI-001878: report generation tools
- CCI-001879: report generation tools
- CCI-001880: report generation tools
- CCI-001881: audit does not alter logs during analysis
- CCI-001882: audit does not alter logs or time ordering
- CCI-001889: granularity of audit events to 1 second
- CCI-001890: audit supports UTC or GMT
- CCI-001919: capability for session record
- CCI-001920: capability for remote session record
- CCI-001876: audit subsystem provides audit reduction capability
- CCI-002130: audit account enabling
- CCI-002132: notify sysadmin on account enabling
- CCI-002165: must support DAC
- CCI-002235: prig vs non-priv access
- CCI-002884: local and remote access audited the same
These requirements are not applicable to Red Hat Enterprise Linux, or likely any Operating System, and should be marked as N/A in the RHEL 7 STIG. Their inclusion in the OS SRG should be reviewed.
- CCI-000366: Procedural requirement.
- CCI-001150: RHEL is not a “collaboration operating system” for “collaborative computing devices”
- CCI-001166: Details mobile code for a mobile OS, of which RHEL is not
- CCI-001233: Vulnerability scanning outside the scope of native operating system capabilities
- CCI-001294: Vulnerability scanning outside the scope of native operating system capabilities
- CCI-001294: Operating Systems are not antivirus software
- CCI-001662: Details mobile code for a mobile OS, of which RHEL is not
- CCI-001169: Details mobile code for a mobile OS, of which RHEL is not
- CCI-001695: Details mobile code for a mobile OS, of which RHEL is not
- CCI-001170: Details mobile code for a mobile OS, of which RHEL is not
- CCI-001444: Requirement is for a wireless hotspot device, not a server operating system
- CCI-001443: Requirement is for a wireless hotspot device, not a server operating system
- CCI-001744: Information System requirement, not OS. Configuration Mgmt not responsibility of Operating System.
- CCI-001811: Unprivileged “Unauthorized software installation” doesn’t exist on Linux. All RPM installs require root. Ref CCI-001812.
- CCI-001851: Data management is the responsibility of storage subsystems (e.g. NetApp), not the operating system
- CCI-002142:
- CCI-002460: The OS is not “mobile code-enabled software”
- CCI-002605: Procedural requirement, not operating system
- CCI-002617: Procedural requirement, not operating system
- CCI-002618: By definition, firmware outside scope of operating system
- CCI-002664: Intrusion Detection System capability outside operating system scope
- CCI-002696: Unit testing security is a procedural requirement
- CCI-002699: Unit testing security is a procedural requirement
- CCI-002702: Behavioral analytics outside scope of operating system
These requirements are permanent findings and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.
- CCI-001294: The O/S isn't a certification and accreditation product
- CCI-001855: RHEL doesn’t have 75% alert
- CCI-002450: RHEL7 has not received FIPS certs. Falls under same waiver as CentOS.
The following requirements are questionable/infeasible/may impact operational procedures (e.g. SSH timeout settings too low). *
The following contains a list of concepts/best practices that should be implemented in the STIG, though are not specifically addressed in the OS SRG requirements.
-
More DCONF settings need to be added for environments that rely heavily on GUI usage. It would be great to have guidance/requirements on some of the following DCONF settings:
-
/org/gnome/login-screen/disable-user-list
-
/org/gnome/login-screen/disable-restart-buttons
-
/org/gnome/login-screen/allowed-failures
-
/org/gnome/desktop/screensaver/user-switch-enabled
-
/org/gnome/desktop/lockdown/user-administration
-
any /org/gnome/desktop/background/ changes
-
Classification Banners