xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost.localdomain
Target ID	podman-image://c195d38e471bf6fa3150a01717252bff61e2dc65dffbfa398bb7a5838dad467d [localhost/twistlock/private:console_20_12_541]
Benchmark URL	scap-security-guide-0.1.54/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.54
Profile ID	xccdf_org.ssgproject.content_profile_stig
Started at	2021-02-11T19:31:22+00:00
Finished at	2021-02-11T19:31:22+00:00
Performed by	unknown user
Test system	cpe:/a:redhat:openscap:1.3.3

CPE Platforms

cpe:/o:redhat:enterprise_linux:8

Addresses

Compliance and Scoring

The target system did not satisfy the conditions of 19 rules! Please review rule results and consider applying remediation.

Rule results

28 passed

19 failed

3 other

Severity of failed rules

2 other

1 low

16 medium

0 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	50.983795	100.000000	50.98%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 19x fail 3x notchecked
System Settings 16x fail 3x notchecked
Installing and Maintaining Software 12x fail
System and Software Integrity 1x fail
Software Integrity Checking
Verify Integrity with AIDE
Install AIDE	medium	notapplicable
Federal Information Processing Standard (FIPS)
Enable FIPS Mode	high	notapplicable
Enable Dracut FIPS Module	medium	notapplicable
System Cryptographic Policies 1x fail
Install crypto-policies package	medium	pass
Configure session renegotiation for SSH client	medium	fail
Configure System Cryptography Policy	high	pass
Configure Libreswan to use System Crypto Policy	medium	pass
OpenSSL uses strong entropy source	medium	pass
Configure SSH to use System Crypto Policy	medium	pass
Configure Kerberos to use System Crypto Policy	medium	pass
Configure OpenSSL library to use System Crypto Policy	medium	pass
Configure BIND to use System Crypto Policy	medium	pass
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supported	high	pass
Disk Partitioning
Ensure /home Located On Separate Partition	low	notapplicable
Encrypt Partitions	high	notapplicable
Ensure /var/log/audit Located On Separate Partition	low	notapplicable
Ensure /var Located On Separate Partition	low	notapplicable
Ensure /var/log Located On Separate Partition	medium	notapplicable
GNOME Desktop Environment
Make sure that the dconf databases are up-to-date with regards to respective keyfiles	high	notapplicable
Sudo 1x fail
Install sudo Package	medium	fail
Updating Software 4x fail
Install dnf-automatic Package	medium	fail
Ensure gpgcheck Enabled In Main yum Configuration	high	notapplicable
Ensure gpgcheck Enabled for Local Packages	high	notapplicable
Enable dnf-automatic Timer	medium	fail
Configure dnf-automatic to Install Available Updates Automatically	medium	fail
Ensure Red Hat GPG Key Installed	high	pass
Ensure yum Removes Previous Package Versions	low	notapplicable
Configure dnf-automatic to Install Only Security Updates	low	fail
Ensure gpgcheck Enabled for All yum Package Repositories	high	pass
System Tooling / Utilities 6x fail
Install dnf-plugin-subscription-manager Package	medium	fail
Ensure gnutls-utils is installed	medium	fail
Install libcap-ng-utils Package	medium	fail
Install openscap-scanner Package	medium	fail
Install scap-security-guide Package	medium	fail
Install subscription-manager Package	medium	fail
Uninstall abrt-addon-ccpp Package	low	pass
Uninstall abrt-addon-kerneloops Package	low	pass
Uninstall abrt-addon-python Package	low	pass
Uninstall abrt-cli Package	low	pass
Uninstall abrt-plugin-logger Package	low	pass
Uninstall abrt-plugin-rhtsupport Package	low	pass
Uninstall abrt-plugin-sosreport Package	low	pass
Uninstall gssproxy Package	low	pass
Uninstall iprutils Package	low	pass
Uninstall krb5-workstation Package	medium	pass
Account and Access Control 2x fail 3x notchecked
Warning Banners for System Accesses 1x fail
Implement a GUI Warning Banner
Set the GNOME3 Login Warning Banner Text	medium	notapplicable
Enable GNOME3 Login Warning Banner	medium	notapplicable
Modify the System Login Banner	medium	fail
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Set Lockout Time for Failed Password Attempts	medium	notapplicable
Set Deny For Failed Password Attempts	medium	notapplicable
Set Interval For Counting Failed Password Attempts	medium	notapplicable
Enforce pam_faillock for Local Accounts Only	medium	notapplicable
Limit Password Reuse	medium	notapplicable
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Set Password Maximum Consecutive Repeating Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Length	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Different Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Digit Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Enforce for root User	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Special Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	medium	notapplicable
Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only	medium	notapplicable
Protect Physical Console Access
Configure Screen Locking
Hardware Tokens for Authentication
Configure Smart Card Certificate Status Checking	medium	notapplicable
Configure Console Screen Locking
Install the tmux Package	medium	notapplicable
Configure tmux to lock session after inactivity	medium	notapplicable
Configure the tmux Lock Command	medium	notapplicable
Support session locking with tmux	medium	notapplicable
Prevent user from disabling the screen lock	medium	notapplicable
Disable debug-shell SystemD Service	medium	notapplicable
Require Authentication for Single User Mode	medium	notapplicable
Disable Ctrl-Alt-Del Reboot Activation	high	notapplicable
Disable Ctrl-Alt-Del Burst Action	high	notapplicable
Verify that Interactive Boot is Disabled	medium	notapplicable
Protect Accounts by Restricting Password-Based Login 1x fail 3x notchecked
Restrict Root Logins 1x fail
Enforce usage of pam_wheel for su authentication	medium	fail
Restrict Virtual Console Root Logins	medium	pass
Verify Proper Storage and Existence of Password Hashes
Prevent Login to Accounts With Empty Password	high	pass
Set Password Expiration Parameters 2x notchecked
Set Existing Passwords Minimum Age	medium	notchecked
Set Existing Passwords Maximum Age	medium	notchecked
Set Password Minimum Length in login.defs	medium	notapplicable
Set Account Expiration Parameters 1x notchecked
Assign Expiration Date to Temporary Accounts	unknown	notchecked
Set Account Expiration Following Inactivity	medium	notapplicable
Secure Session Configuration Files for Login Accounts
Ensure that Users Have Sensible Umask Values
Ensure the Default C Shell Umask is Set Correctly	unknown	pass
Ensure the Default Bash Umask is Set Correctly	unknown	pass
Ensure the Default Umask is Set Correctly in /etc/profile	unknown	pass
Limit the Number of Concurrent Login Sessions Allowed Per User	low	notapplicable
System Accounting with auditd
System Accounting with auditd
Configure auditing of unsuccessful file modifications	medium	notapplicable
Configure auditing of unsuccessful file creations	medium	notapplicable
Configure auditing of unsuccessful permission changes	medium	notapplicable
Configure auditing of successful file accesses	medium	notapplicable
Configure auditing of unsuccessful file deletions	medium	notapplicable
Configure basic parameters of Audit system	medium	notapplicable
Configure auditing of unsuccessful file accesses	medium	notapplicable
Configure auditing of successful file deletions	medium	notapplicable
Configure auditing of unsuccessful ownership changes	medium	notapplicable
Configure immutable Audit login UIDs	medium	notapplicable
Configure auditing of loading and unloading of kernel modules	medium	notapplicable
Perform general configuration of Audit for OSPP	medium	notapplicable
Configure auditing of successful permission changes	medium	notapplicable
Configure auditing of successful file modifications	medium	notapplicable
Configure auditing of successful ownership changes	medium	notapplicable
Configure auditing of successful file creations	medium	notapplicable
Configure auditd Data Retention
Set hostname as computer node name in audit logs	medium	notapplicable
Write Audit Logs to the Disk	medium	notapplicable
Resolve information before writing to audit logs	medium	notapplicable
Configure auditd to use audispd's syslog plugin	medium	notapplicable
Configure auditd flush priority	medium	notapplicable
Set number of records to cause an explicit flush to audit logs	medium	notapplicable
Include Local Events in Audit Logs	medium	notapplicable
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify User/Group Information - /etc/passwd	medium	notapplicable
Install audispd-plugins Package	medium	notapplicable
Ensure the audit Subsystem is Installed	medium	notapplicable
Enable auditd Service	medium	notapplicable
Enable Auditing for Processes Which Start Prior to the Audit Daemon	medium	notapplicable
Extend Audit Backlog Limit for the Audit Daemon	medium	notapplicable
File Permissions and Masks 2x fail
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Mounting of cramfs	low	notapplicable
Restrict Partition Mount Options
Add nosuid Option to /var/log/audit	medium	notapplicable
Add nosuid Option to /var/tmp	unknown	notapplicable
Add nosuid Option to /tmp	unknown	notapplicable
Add noexec Option to /tmp	unknown	notapplicable
Add nosuid Option to /boot	medium	notapplicable
Add nodev Option to /var/tmp	unknown	notapplicable
Add nosuid Option to /var/log	medium	notapplicable
Add nodev Option to /boot	medium	notapplicable
Add nodev Option to /dev/shm	low	notapplicable
Add nodev Option to /tmp	unknown	notapplicable
Add noexec Option to /dev/shm	low	notapplicable
Add nodev Option to /var/log	medium	notapplicable
Add noexec Option to /var/log	medium	notapplicable
Add noexec Option to /var/tmp	unknown	notapplicable
Add nosuid Option to /home	medium	notapplicable
Add nodev Option to /var	medium	notapplicable
Add noexec Option to /var/log/audit	medium	notapplicable
Add nodev Option to Non-Root Local Partitions	unknown	notapplicable
Add nodev Option to /var/log/audit	medium	notapplicable
Add nosuid Option to /dev/shm	low	notapplicable
Add nodev Option to /home	unknown	notapplicable
Restrict Programs from Dangerous Execution Patterns 2x fail
Memory Poisoning
Enable page allocator poisoning	medium	notapplicable
Enable SLUB/SLAB allocator poisoning	medium	notapplicable
Enable ExecShield
Restrict Exposed Kernel Pointer Addresses Access	medium	notapplicable
Disable Core Dumps 2x fail
Disable acquiring, saving, and processing core dumps	unknown	notapplicable
Disable Core Dumps for All Users	unknown	notapplicable
Disable core dump backtraces	unknown	fail
Disable storing core dump	unknown	fail
Restrict Access to Kernel Message Buffer	medium	notapplicable
Disable Kernel Image Loading	medium	notapplicable
Disable the use of user namespaces	info	notapplicable
Disable storing core dumps	unknown	notapplicable
Disable Access to Network bpf() Syscall From Unprivileged Processes	medium	notapplicable
Restrict usage of ptrace to descendant processes	medium	notapplicable
Disallow kernel profiling by unprivileged users	medium	notapplicable
Harden the operation of the BPF just-in-time compiler	medium	notapplicable
Verify Permissions on Important Files and Directories
Enable Kernel Parameter to Enforce DAC on Hardlinks	unknown	notapplicable
Enable Kernel Parameter to Enforce DAC on Symlinks	unknown	notapplicable
GRUB2 bootloader configuration
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Password	high	notapplicable
Enable Kernel Page-Table Isolation (KPTI)	high	notapplicable
Disable vsyscalls	info	notapplicable
Configure kernel to trust the CPU random number generator	medium	notapplicable
Configure Syslog
Rsyslog Logs Sent To Remote Host
Configure TLS for rsyslog remote logging	medium	notapplicable
Configure CA certificate for rsyslog remote logging	medium	notapplicable
Ensure rsyslog-gnutls is installed	medium	notapplicable
Ensure rsyslog is Installed	medium	notapplicable
Network Configuration and Firewalls
Wireless Networking
Disable Wireless Through Software Configuration
Disable Bluetooth Kernel Module	medium	notapplicable
Uncommon Network Protocols
Disable CAN Support	medium	notapplicable
Disable IEEE 1394 (FireWire) Support	medium	notapplicable
Disable TIPC Support	medium	notapplicable
Disable ATM Support	medium	notapplicable
Disable SCTP Support	medium	notapplicable
firewalld
Inspect and Activate Default firewalld Rules
Install firewalld Package	medium	notapplicable
Verify firewalld Enabled	medium	notapplicable
IPv6
Configure IPv6 Settings if Necessary
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	notapplicable
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	notapplicable
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	notapplicable
Configure Accepting Router Advertisements on All IPv6 Interfaces	unknown	notapplicable
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	unknown	notapplicable
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	notapplicable
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	notapplicable
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	notapplicable
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	notapplicable
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	notapplicable
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	notapplicable
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	notapplicable
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces	medium	notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	notapplicable
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	notapplicable
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	notapplicable
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	notapplicable
Network Parameters for Hosts Only
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	notapplicable
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	notapplicable
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	notapplicable
SELinux
Install policycoreutils-python-utils package	medium	notapplicable
Install policycoreutils Package	high	notapplicable
Ensure SELinux State is Enforcing	medium	notapplicable
Configure SELinux Policy	medium	notapplicable
Services 3x fail
System Security Services Daemon
Enable Smartcards in SSSD	medium	notapplicable
Configure SSSD to Expire Offline Credentials	medium	notapplicable
Mail Server Software
Uninstall Sendmail Package	medium	notapplicable
SSH Server
Configure OpenSSH Server if Necessary
Set SSH Client Alive Count Max	medium	notapplicable
Enable SSH Warning Banner	medium	notapplicable
Disable GSSAPI Authentication	medium	notapplicable
Disable Host-Based Authentication	medium	notapplicable
Disable SSH Root Login	medium	notapplicable
Force frequent session key renegotiation	medium	notapplicable
Disable SSH Access via Empty Passwords	high	notapplicable
SSH server uses strong entropy to seed	medium	notapplicable
Disable Kerberos Authentication	medium	notapplicable
Enable Use of Strict Mode Checking	medium	notapplicable
Set SSH Idle Timeout Interval	medium	notapplicable
Configure OpenSSH Client if Necessary
SSH client uses strong entropy to seed (for CSH like shells)	medium	notapplicable
SSH client uses strong entropy to seed (Bash-like shells)	medium	notapplicable
Install OpenSSH client software	medium	notapplicable
Install the OpenSSH Server Package	medium	notapplicable
Network Time Protocol
The Chrony package is installed	medium	notapplicable
Disable network management of chrony daemon	unknown	notapplicable
Disable chrony daemon from acting as server	unknown	notapplicable
Application Whitelisting Daemon
Install fapolicyd Package	medium	notapplicable
Enable the File Access Policy Service	medium	notapplicable
Base Services
Uninstall Automatic Bug Reporting Tool (abrt)	medium	pass
Disable KDump Kernel Crash Analyzer (kdump)	medium	notapplicable
NFS and RPC
Uninstall nfs-utils Package	low	pass
Kerberos
Disable Kerberos by removing host keytab	medium	notapplicable
USBGuard daemon 3x fail
Install usbguard Package	medium	fail
Enable the USBGuard Service	medium	notapplicable
Authorize Human Interface Devices and USB hubs in USBGuard daemon	medium	fail
Log USBGuard daemon audit events using Linux Audit	medium	fail

Result Details

Install AIDE

Rule ID	xccdf_org.ssgproject.content_rule_package_aide_installed
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80844-4 References: 1.4.1, 5.10.1.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, BP28(R51), SRG-OS-000363-GPOS-00150, 1034, 1288, 1341, 1417
Description	The `aide` package can be installed with the following command: $ sudo yum install aide
Rationale	The AIDE package must be installed if it is to be available for integrity checking.

Enable FIPS Mode

Rule ID	xccdf_org.ssgproject.content_rule_enable_fips_mode
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80942-6 References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, 1446
Description	To enable FIPS mode, run the following command: fips-mode-setup --enable The `fips-mode-setup` command will configure the system in FIPS mode by automatically configuring the following: Setting the kernel FIPS mode flag (`/proc/sys/crypto/fips_enabled`) to `1` Creating `/etc/system-fips` Setting the system crypto policy in `/etc/crypto-policies/config` to `FIPS` Loading the Dracut `fips` module Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
Rationale	Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Enable Dracut FIPS Module

Rule ID	xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82155-3 References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SRG-OS-000478-GPOS-00223, 1446
Description	To enable FIPS mode, run the following command: fips-mode-setup --enable To enable FIPS, the system requires that the `fips` module is added in `dracut` configuration. Check if `/etc/dracut.conf.d/40-fips.conf` contain `add_dracutmodules+=" fips "`
Rationale	Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Install crypto-policies package

Rule ID	xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_crypto-policies_installed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82723-8 References: FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Description	The `crypto-policies` package can be installed with the following command: $ sudo yum install crypto-policies
Rationale	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

OVAL test results details

package crypto-policies is installed oval:ssg-test_package_crypto-policies_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
crypto-policies	noarch	(none)	1.git51d1222.el8	20200713	0:20200713-1.git51d1222.el8	199e2f91fd431d51	crypto-policies-0:20200713-1.git51d1222.el8.noarch

Configure session renegotiation for SSH client

Rule ID xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-ssh_client_rekey_limit:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82880-6

References: FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187

Description

The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit 1G 1h to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.

Remediation Shell script ⇲



var_ssh_client_rekey_limit_size="1G"

var_ssh_client_rekey_limit_time="1h"



main_config="/etc/ssh/ssh_config"
include_directory="/etc/ssh/ssh_config.d"

if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
  sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
fi

for file in "$include_directory"/*.conf; do
  if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
    sed -i '/^[\s]*RekeyLimit.*/d' "$file"
  fi
done

if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then
    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
else
    touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
fi
cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"
# Insert at the end of the file
printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
# Clean up after ourselves.
rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	configure

- name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_size: !!str 1G
  tags:
    - always
- name: XCCDF Value var_ssh_client_rekey_limit_time # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_time: !!str 1h
  tags:
    - always

- name: Ensure RekeyLimit is not configured in /etc/ssh/ssh_config
  lineinfile:
    path: /etc/ssh/ssh_config
    create: false
    regexp: ^\s*RekeyLimit.*$
    state: absent
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Collect all include config files for ssh client which configure RekeyLimit
  find:
    paths: /etc/ssh/ssh_config.d/
    contains: ^[\s]*RekeyLimit.*$
    patterns: '*.config'
  register: ssh_config_include_files
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Remove all occurences of RekeyLimit configuration from include config files
    of ssh client
  lineinfile:
    path: '{{ item }}'
    regexp: ^[\s]*RekeyLimit.*$
    state: absent
  loop: '{{ ssh_config_include_files.files }}'
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{
    var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf
  lineinfile:
    path: /etc/ssh/ssh_config.d/02-rekey-limit.conf
    create: true
    regexp: ^\s*RekeyLimit.*$
    line: RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time
      }}
    state: present
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

OVAL test results details

tests the value of RekeyLimit setting in /etc/ssh/ssh_config file oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/ssh_config	^[\s]RekeyLimit.$	1

tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*RekeyLimit[\s]+1G[\s]+1h[\s]*$

^/etc/ssh/ssh_config\.d/.*\.conf$

Configure System Cryptography Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80935-0 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, 1446
Description	To configure the system cryptography policy to use ciphers only from the `FIPS:OSPP` policy, run the following command: $ sudo update-crypto-policies --set FIPS:OSPP The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the `/etc/crypto-policies/back-ends` are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/config	FIPS:OSPP

check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/state/current	FIPS:OSPP

Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_crypto_policies_config_file_timestamp:var:1	1612713248

Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crypto-policies/back-ends/nss.config	regular	0	0	338	`rw-r--r--`

Configure Libreswan to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_libreswan_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80937-6 References: CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000033-GPOS-00014, FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `/etc/ipsec.conf` includes the appropriate configuration file. In `/etc/ipsec.conf`, make sure that the following line is not commented out or superseded by later includes: `include /etc/crypto-policies/back-ends/libreswan.config`
Rationale	Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package libreswan is installed oval:ssg-test_package_libreswan_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object

Name
libreswan

Check that the libreswan configuration includes the crypto policy config file oval:ssg-test_configure_libreswan_crypto_policy:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ipsec.conf	^\sinclude\s+/etc/crypto-policies/back-ends/libreswan.config\s(?:#.*)?$	1

OpenSSL uses strong entropy source

Rule ID	xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-openssl_use_strong_entropy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82721-2 References: FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00227, 1277, 1552
Description	By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is to setup a wrapper that defines a shell function that shadows the actual `openssl` binary, and that ensures that the `-rand /dev/random` option is added to every `openssl` invocation. To do so, place the following shell snippet exactly as-is to `/etc/profile.d/openssl-rand.sh`: # provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$" in # if user specified -rand, honor it \ -rand\ \|\ -help) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands \| tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" \| grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in \ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" )
Rationale	This rule ensures that `openssl` invocations always uses SP800-90A compliant random number generator as a default behavior.
Warnings	warning This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available.

OVAL test results details

Test if openssl is configured to generate random data with strong entropy oval:ssg-test_openssl_strong_entropy:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Hash type	Hash
/etc/profile.d/openssl-rand.sh	/etc/profile.d	openssl-rand.sh	SHA-256	6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af

Configure SSH to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_ssh_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80939-2 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, 5.2.20, SRG-OS-000250-GPOS-00093
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `CRYPTO_POLICY` variable is either commented or not set at all in the `/etc/sysconfig/sshd`.
Rationale	Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/sshd	^\sCRYPTO_POLICY\s=.*$	1

Configure Kerberos to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_kerberos_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80936-8 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, 0418, 1055, 1402
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.
Rationale	Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1 error

Following items have been found on the system:

Var ref	Value
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1	/etc/crypto-policies/back-ends/krb5.config

Check if kerberos configuration symlink links to the crypto-policy backend file oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1	/etc/crypto-policies/back-ends/krb5.config

Configure OpenSSL library to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_openssl_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80938-4 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under `/etc/pki/tls/openssl.cnf`. This file has the `ini` format, and it enables crypto policy support if there is a `[ crypto_policy ]` section that contains the `.include /etc/crypto-policies/back-ends/opensslcnf.config` directive.
Rationale	Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pki/tls/openssl.cnf	[ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config

Configure BIND to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_bind_crypto_policy:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80934-3 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `/etc/named.conf` includes the appropriate configuration: In the `options` section of `/etc/named.conf`, make sure that the following line is not commented out or superseded by later includes: `include "/etc/crypto-policies/back-ends/bind.config";`
Rationale	Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package bind is removed oval:ssg-test_package_bind_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object

Name
bind

Check that the configuration includes the policy config file. oval:ssg-test_configure_bind_crypto_policy:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/named.conf	^\sinclude\s+"/etc/crypto-policies/back-ends/bind.config"\s;\s*$	1

The Installed Operating System Is Vendor Supported

Rule ID	xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-installed_OS_is_vendor_supported:def:1
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80947-5 References: CCI-000366, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4, RHEL-08-010000, SV-230221r599732_rule
Description	The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches.
Rationale	An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.
Warnings	warning There is no remediation besides switching to a different operating system.

OVAL test results details

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object

Name
sled-release

sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object

Name
sled-release

sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object

Name
sles-release

sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object

Name
sles-release

installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object

Name
sled-release

sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object

Name
sled-release

sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object

Name
sles-release

sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object

Name
sles-release

installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object

Name
sled-release

sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object

Name
sled-release

sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object

Name
sles-release

sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object

Name
sles-release

installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object

Name
sled-release

sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object

Name
sled-release

sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object

Name
sles-release

sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object

Name
sles-release

Ensure /home Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_home
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-81044-0 References: BP28(R12), 1.1.13, CCI-000366, CCI-001208, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8
Description	If user home directories will be stored locally, create a separate partition for `/home` at installation time (or migrate it later using LVM). If `/home` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale	Ensuring that `/home` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Encrypt Partitions

Rule ID	xccdf_org.ssgproject.content_rule_encrypt_partitions
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80789-1 References: 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000404-VMM-001650, SRG-OS-000405-VMM-001660, SR 3.4, SR 4.1, SR 5.2, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 13, 14
Description	Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the `Encrypt` checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the `--encrypted` and `--passphrase=` options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the `--passphrase=` option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the `Anaconda` installer uses `aes-xts-plain64` cipher with a minimum `512` bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.
Rationale	The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Ensure /var/log/audit Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-80854-3 References: 1.1.12, CCI-000366, CCI-001849, 164.312(a)(2)(ii), A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8
Description	Audit logs are stored in the `/var/log/audit` directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Rationale	Placing `/var/log/audit` in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Ensure /var Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-80852-7 References: BP28(R12), 1.1.6, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8
Description	The `/var` directory is used by daemons and other system services to store frequently-changing data. Ensure that `/var` has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	Ensuring that `/var` is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the `/var` directory to contain world-writable directories installed by other software packages.

Ensure /var/log Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var_log
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80853-5 References: BP28(R12), BP28(R47), 1.1.11, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, 1, 12, 14, 15, 16, 3, 5, 6, 8, SRG-OS-000480-GPOS-00227
Description	System logs are stored in the `/var/log` directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	Placing `/var/log` in its own partition enables better separation between log files and other files in `/var/`.

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

Rule ID	xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-81003-6 References: SRG-OS-000480-GPOS-00227
Description	By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command.
Rationale	Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.

Install sudo Package

Rule ID xccdf_org.ssgproject.content_rule_package_sudo_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_sudo_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82214-8

References: CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1, 1382, 1384, 1386

Description

The sudo package can be installed with the following command:

$ sudo yum install sudo

Rationale

sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "sudo" ; then
    yum install -y "sudo"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure sudo is installed
  package:
    name: sudo
    state: present
  tags:
    - CCE-82214-8
    - NIST-800-53-CM-6(a)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_sudo_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_sudo

class install_sudo {
  package { 'sudo':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=sudo

OVAL test results details

package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_sudo_installed:obj:1 of type rpminfo_object

Name
sudo

Install dnf-automatic Package

Rule ID xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_dnf-automatic_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82985-3

References: SRG-OS-000191-GPOS-00080

Description

The dnf-automatic package can be installed with the following command:

$ sudo yum install dnf-automatic

Rationale

dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "dnf-automatic" ; then
    yum install -y "dnf-automatic"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure dnf-automatic is installed
  package:
    name: dnf-automatic
    state: present
  tags:
    - CCE-82985-3
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_dnf-automatic_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_dnf-automatic

class install_dnf-automatic {
  package { 'dnf-automatic':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=dnf-automatic

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object

Name
dnf-automatic

Ensure gpgcheck Enabled In Main yum Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80790-9 References: 1.2.4, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)
Description	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in `/etc/yum.conf` in the `[main]` section: gpgcheck=1
Rationale	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Ensure gpgcheck Enabled for Local Packages

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80791-7 References: 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, BP28(R15)
Description	`yum` should be configured to verify the signature(s) of local packages prior to installation. To configure `yum` to verify signatures of local packages, set the `localpkg_gpgcheck` to `1` in `/etc/yum.conf`.
Rationale	Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Enable dnf-automatic Timer

Rule ID xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-timer_dnf-automatic_enabled:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82360-9

References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080

Description

The dnf-automatic timer can be enabled with the following command:

$ sudo systemctl enable dnf-automatic.timer

Rationale

The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer'

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Enable timer dnf-automatic
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable timer dnf-automatic
      systemd:
        name: dnf-automatic.timer
        enabled: 'yes'
        state: started
      when:
        - '"dnf-automatic" in ansible_facts.packages'
  tags:
    - CCE-82360-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - timer_dnf-automatic_enabled

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object

Name
dnf-automatic

Test that the dnf-automatic timer is running oval:ssg-test_timer_running_dnf-automatic:tst:1 unknown

No items have been found conforming to the following objects:

Object oval:ssg-obj_timer_running_dnf-automatic:obj:1 of type systemdunitproperty_object

Unit	Property
dnf-automatic\.timer	ActiveState

systemd test oval:ssg-test_multi_user_wants_dnf-automatic:tst:1 unknown

No items have been found conforming to the following objects:

Object oval:ssg-object_multi_user_target_for_dnf-automatic_enabled:obj:1 of type systemdunitdependency_object

Unit
multi-user.target

Configure dnf-automatic to Install Available Updates Automatically

Rule ID xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dnf-automatic_apply_updates:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82494-6

References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.

Rationale

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.

Remediation Shell script ⇲


CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*apply_updates"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and apply_updates in automatic.conf, if it exists, set
# to yes, if it isn't here, add it, if [commands] doesn't exist, add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a apply_updates = yes" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\napply_updates = yes" >> $CONF
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: Configure dnf-automatic to Install Available Updates Automatically
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: apply_updates
    value: 'yes'
    create: true
  tags:
    - CCE-82494-6
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - dnf-automatic_apply_updates
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

OVAL test results details

tests the value of apply_updates setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_apply_updates:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_apply_updates:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/automatic.conf	^\s\[commands\].(?:\n\s[^[\s].)\n^\sapply_updates[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_apply_updates_config_file:obj:1 of type file_object

Filepath
^/etc/dnf/automatic.conf

Ensure Red Hat GPG Key Installed

Rule ID	xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_redhat_gpgkey_installed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80795-8 References: SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)
Description	To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in `/media/cdrom`, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Rationale	Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL test results details

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

Red Hat release key package is installed oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)

Red Hat auxiliary key package is installed oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^ID="(\w+)"$	1

Check os-release ID oval:ssg-test_centos8_name:tst:1 false

Following items have been found on the system:

Path	Content
/etc/os-release	ID="rhel"

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^ID="(\w+)"$	1

Check os-release ID oval:ssg-test_centos8_name:tst:1 false

Following items have been found on the system:

Path	Content
/etc/os-release	ID="rhel"

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

CentOS8 key package is installed oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)

Ensure yum Removes Previous Package Versions

Rule ID	xccdf_org.ssgproject.content_rule_clean_components_post_updating
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82476-3 References: 3.4.8, CCI-002617, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, SRG-OS-000437-VMM-001760, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4
Description	`yum` should be configured to remove previous software components after new versions have been installed. To configure `yum` to remove the previous software components after updating, set the `clean_requirements_on_remove` to `1` in `/etc/yum.conf`.
Rationale	Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Configure dnf-automatic to Install Only Security Updates

Rule ID xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dnf-automatic_security_updates_only:def:1

Time 2021-02-11T19:31:22+00:00

Severity low

Identifiers and References

Identifiers: CCE-82267-6

References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080

Description

To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf.

Rationale

By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.

Remediation Shell script ⇲


CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*upgrade_type"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and upgrade_type in automatic.conf, if it exists, set
# it to security, if it isn't here, add it, if [commands] doesn't exist,
# add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a upgrade_type = security" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\nupgrade_type = security" >> $CONF
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: Configure dnf-automatic to Install Only Security Updates
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: upgrade_type
    value: security
    create: true
  tags:
    - CCE-82267-6
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - dnf-automatic_security_updates_only
    - low_complexity
    - low_severity
    - medium_disruption
    - no_reboot_needed
    - unknown_strategy

OVAL test results details

tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_security_updates_only:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_security_updates_only:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/automatic.conf	^\s\[commands\].(?:\n\s[^[\s].)\n^\supgrade_type[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1 of type file_object

Filepath
^/etc/dnf/automatic.conf

Ensure gpgcheck Enabled for All yum Package Repositories

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_never_disabled:def:1
Time	2021-02-11T19:31:22+00:00
Severity	high
Identifiers and References	Identifiers: CCE-80792-5 References: SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)
Description	To ensure signature checking is not disabled for any repos, remove any lines from files in `/etc/yum.repos.d` of the form: gpgcheck=0
Rationale	Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/yum.repos.d	.*	^\sgpgcheck\s=\s0\s$	1

Install dnf-plugin-subscription-manager Package

Rule ID xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_dnf-plugin-subscription-manager_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82315-3

References: FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

The dnf-plugin-subscription-manager package can be installed with the following command:

$ sudo yum install dnf-plugin-subscription-manager

Rationale

This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
    yum install -y "dnf-plugin-subscription-manager"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure dnf-plugin-subscription-manager is installed
  package:
    name: dnf-plugin-subscription-manager
    state: present
  tags:
    - CCE-82315-3
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_dnf-plugin-subscription-manager_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_dnf-plugin-subscription-manager

class install_dnf-plugin-subscription-manager {
  package { 'dnf-plugin-subscription-manager':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=dnf-plugin-subscription-manager

OVAL test results details

package dnf-plugin-subscription-manager is installed oval:ssg-test_package_dnf-plugin-subscription-manager_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dnf-plugin-subscription-manager_installed:obj:1 of type rpminfo_object

Name
dnf-plugin-subscription-manager

Ensure gnutls-utils is installed

Rule ID xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_gnutls-utils_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82395-5

References: FIA_X509_EXT, SRG-OS-000480-GPOS-00227

Description

The gnutls-utils package can be installed with the following command:

$ sudo yum install gnutls-utils

Rationale

GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "gnutls-utils" ; then
    yum install -y "gnutls-utils"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure gnutls-utils is installed
  package:
    name: gnutls-utils
    state: present
  tags:
    - CCE-82395-5
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_gnutls-utils_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_gnutls-utils

class install_gnutls-utils {
  package { 'gnutls-utils':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=gnutls-utils

OVAL test results details

package gnutls-utils is installed oval:ssg-test_package_gnutls-utils_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_gnutls-utils_installed:obj:1 of type rpminfo_object

Name
gnutls-utils

Install libcap-ng-utils Package

Rule ID xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_libcap-ng-utils_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82979-6

References: SRG-OS-000445-GPOS-00199

Description

The libcap-ng-utils package can be installed with the following command:

$ sudo yum install libcap-ng-utils

Rationale

libcap-ng-utils contains applications to analyze the posix posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "libcap-ng-utils" ; then
    yum install -y "libcap-ng-utils"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure libcap-ng-utils is installed
  package:
    name: libcap-ng-utils
    state: present
  tags:
    - CCE-82979-6
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_libcap-ng-utils_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_libcap-ng-utils

class install_libcap-ng-utils {
  package { 'libcap-ng-utils':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=libcap-ng-utils

OVAL test results details

package libcap-ng-utils is installed oval:ssg-test_package_libcap-ng-utils_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_libcap-ng-utils_installed:obj:1 of type rpminfo_object

Name
libcap-ng-utils

Install openscap-scanner Package

Rule ID xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_openscap-scanner_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82220-5

References: SRG-OS-000480-GPOS-00227, SRG-OS-000191-GPOS-00080

Description

The openscap-scanner package can be installed with the following command:

$ sudo yum install openscap-scanner

Rationale

openscap-scanner contains the oscap command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "openscap-scanner" ; then
    yum install -y "openscap-scanner"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure openscap-scanner is installed
  package:
    name: openscap-scanner
    state: present
  tags:
    - CCE-82220-5
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_openscap-scanner_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_openscap-scanner

class install_openscap-scanner {
  package { 'openscap-scanner':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=openscap-scanner

OVAL test results details

package openscap-scanner is installed oval:ssg-test_package_openscap-scanner_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_openscap-scanner_installed:obj:1 of type rpminfo_object

Name
openscap-scanner

Install scap-security-guide Package

Rule ID xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_scap-security-guide_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82949-9

References: SRG-OS-000480-GPOS-00227

Description

The scap-security-guide package can be installed with the following command:

$ sudo yum install scap-security-guide

Rationale

The scap-security-guide package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the oscap CLI tool from the openscap-scanner package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "scap-security-guide" ; then
    yum install -y "scap-security-guide"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure scap-security-guide is installed
  package:
    name: scap-security-guide
    state: present
  tags:
    - CCE-82949-9
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_scap-security-guide_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_scap-security-guide

class install_scap-security-guide {
  package { 'scap-security-guide':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=scap-security-guide

OVAL test results details

package scap-security-guide is installed oval:ssg-test_package_scap-security-guide_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_scap-security-guide_installed:obj:1 of type rpminfo_object

Name
scap-security-guide

Install subscription-manager Package

Rule ID xccdf_org.ssgproject.content_rule_package_subscription-manager_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_subscription-manager_installed:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82316-1

References: SRG-OS-000366-GPOS-00153, FPT_TUD_EXT.1, FPT_TUD_EXT.2, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

The subscription-manager package can be installed with the following command:

$ sudo yum install subscription-manager

Rationale

Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "subscription-manager" ; then
    yum install -y "subscription-manager"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure subscription-manager is installed
  package:
    name: subscription-manager
    state: present
  tags:
    - CCE-82316-1
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_subscription-manager_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_subscription-manager

class install_subscription-manager {
  package { 'subscription-manager':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=subscription-manager

OVAL test results details

package subscription-manager is installed oval:ssg-test_package_subscription-manager_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_subscription-manager_installed:obj:1 of type rpminfo_object

Name
subscription-manager

Uninstall abrt-addon-ccpp Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-ccpp_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82919-2 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-ccpp` package can be removed with the following command: $ sudo yum erase abrt-addon-ccpp
Rationale	`abrt-addon-ccpp` contains hooks for C/C++ crashed programs and `abrt`'s C/C++ analyzer plugin.

OVAL test results details

package abrt-addon-ccpp is removed oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object

Name
abrt-addon-ccpp

Uninstall abrt-addon-kerneloops Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-kerneloops_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82926-7 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-kerneloops` package can be removed with the following command: $ sudo yum erase abrt-addon-kerneloops
Rationale	`abrt-addon-kerneloops` contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.

OVAL test results details

package abrt-addon-kerneloops is removed oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object

Name
abrt-addon-kerneloops

Uninstall abrt-addon-python Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-python_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82923-4 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-python` package can be removed with the following command: $ sudo yum erase abrt-addon-python
Rationale	`abrt-addon-python` contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.

OVAL test results details

package abrt-addon-python is removed oval:ssg-test_package_abrt-addon-python_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1 of type rpminfo_object

Name
abrt-addon-python

Uninstall abrt-cli Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-cli_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-cli_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82907-7 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-cli` package can be removed with the following command: $ sudo yum erase abrt-cli
Rationale	`abrt-cli` contains a command line client for controlling abrt daemon over sockets.

OVAL test results details

package abrt-cli is removed oval:ssg-test_package_abrt-cli_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object

Name
abrt-cli

Uninstall abrt-plugin-logger Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-logger_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82913-5 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-logger` package can be removed with the following command: $ sudo yum erase abrt-plugin-logger
Rationale	`abrt-plugin-logger` is an ABRT plugin which writes a report to a specified file.

OVAL test results details

package abrt-plugin-logger is removed oval:ssg-test_package_abrt-plugin-logger_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-logger

Uninstall abrt-plugin-rhtsupport Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-rhtsupport_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82916-8 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-rhtsupport` package can be removed with the following command: $ sudo yum erase abrt-plugin-rhtsupport
Rationale	`abrt-plugin-rhtsupport` is a ABRT plugin to report bugs into the Red Hat Support system.

OVAL test results details

package abrt-plugin-rhtsupport is removed oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-rhtsupport

Uninstall abrt-plugin-sosreport Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-sosreport_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82910-1 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-sosreport` package can be removed with the following command: $ sudo yum erase abrt-plugin-sosreport
Rationale	`abrt-plugin-sosreport` provides a plugin to include an sosreport in an ABRT report.

OVAL test results details

package abrt-plugin-sosreport is removed oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-sosreport

Uninstall gssproxy Package

Rule ID	xccdf_org.ssgproject.content_rule_package_gssproxy_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_gssproxy_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82943-2 References: SRG-OS-000095-GPOS-00049
Description	The `gssproxy` package can be removed with the following command: $ sudo yum erase gssproxy
Rationale	`gssproxy` is a proxy for GSS API credential handling.

OVAL test results details

package gssproxy is removed oval:ssg-test_package_gssproxy_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object

Name
gssproxy

Uninstall iprutils Package

Rule ID	xccdf_org.ssgproject.content_rule_package_iprutils_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_iprutils_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	low
Identifiers and References	Identifiers: CCE-82946-5 References: SRG-OS-000095-GPOS-00049
Description	The `iprutils` package can be removed with the following command: $ sudo yum erase iprutils
Rationale	`iprutils` provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.

OVAL test results details

package iprutils is removed oval:ssg-test_package_iprutils_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object

Name
iprutils

Uninstall krb5-workstation Package

Rule ID	xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_krb5-workstation_removed:def:1
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82931-7 References: SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061
Description	The `krb5-workstation` package can be removed with the following command: $ sudo yum erase krb5-workstation
Rationale	Kerberos is a network authentication system. The `krb5-workstation` package contains the basic Kerberos programs (`kinit`, `klist`, `kdestroy`, `kpasswd`). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA.

OVAL test results details

package krb5-workstation is removed oval:ssg-test_package_krb5-workstation_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type rpminfo_object

Name
krb5-workstation

Set the GNOME3 Login Warning Banner Text

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80770-1 References: 1.8.2, 3.1.9, CCI-000048, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16
Description	In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting `banner-message-text` to `'APPROVED_BANNER'` where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit `banner-message-text` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run `dconf update`. When entering a warning banner that spans several lines, remember to begin and end the string with `'` and use `\n` for new lines.
Rationale	An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Enable GNOME3 Login Warning Banner

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80768-5 References: 1.8.2, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16
Description	In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting `banner-message-enable` to `true`. To enable, add or edit `banner-message-enable` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run `dconf update`. The banner text must also be set.
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Modify the System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-banner_etc_issue:def:1

Time 2021-02-11T19:31:22+00:00

Severity medium

Identifiers and References

Identifiers: CCE-80763-6

References: 1.8.1.2, 3.1.9, CCI-000048, CCI-000050, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Remediation Shell script ⇲


login_banner_text="^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$"



# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue
$formatted
EOF

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
  tags:
    - always

- name: Modify the System Login Banner - remove incorrect banner
  file:
    state: absent
    path: /etc/issue
  tags:
    - CCE-80763-6
    - NIST-800-171-3.1.9
    - NIST-800-53-AC-8(a)
    - NIST-800-53-AC-8(c)
    - banner_etc_issue
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

- name: Modify the System Login Banner - add correct banner
  lineinfile:
    dest: /etc/issue
    line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
    create: true
  tags:
    - CCE-80763-6
    - NIST-800-171-3.1.9
    - NIST-800-53-AC-8(a)
    - NIST-800-53-AC-8(c)
    - banner_etc_issue
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

OVAL test results details

correct banner in /etc/issue oval:ssg-test_banner_etc_issue:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_banner_etc_issue:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/issue	^(.*)$	1

Set Lockout Time for Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80670-3 References: 5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
Description	To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using `pam_faillock.so`, modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so If `unlock_time` is set to `0`, manual intervention by an administrator is required to unlock a user.
Rationale	Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Set Deny For Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80667-9 References: 5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
Description	To configure the system to lock out accounts after a number of incorrect login attempts using `pam_faillock.so`, modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so
Rationale	Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Set Interval For Counting Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80669-5 References: CCI-000044, CCI-002238, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
Description	Utilizing `pam_faillock.so`, the `fail_interval` directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: Add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 Add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 Add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so
Rationale	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Enforce pam_faillock for Local Accounts Only

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83401-0 References: CCI-000015, AC-2(1), SRG-OS-000001-GPOS-00001
Description	The pam_faillock module's `local_users_only` parameter controls requirements for enforcing failed lockout attempts only for local user accounts and ignoring centralized user account management failed attempt configurations. Enable the `local_users_only` setting in `/etc/security/faillock.conf` to require failed password attempts for only local user accounts.
Rationale	The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
Warnings	warning Using this rule bypasses pam_faillock's functionality and should be used in cases where centralized management such as LDAP or Active Directory is in use.

Limit Password Reuse

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-80666-1 References: 5.3.3, 5.6.2.1.1, 3.5.8, CCI-000200, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5
Description	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_unix` or `pam_pwhistory` PAM modules. In the file `/etc/pam.d/system-auth`, append `remember=5` to the line which refers to the `pam_unix.so` or `pam_pwhistory.so`module, as shown below: for the `pam_unix.so` case: password sufficient pam_unix.so ...existing_options... remember=5 for the `pam_pwhistory.so` case: password requisite pam_pwhistory.so ...existing_options... remember=5 The DoD STIG requirement is 5 passwords.
Rationale	Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Set Password Maximum Consecutive Repeating Characters

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Result	notapplicable
Multi-check rule	no
Time	2021-02-11T19:31:22+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82066-2 References: CCI-000195, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1,