Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetpodman-image://f14353e6c0b9c1fa4b754bbe168605a5d6d62e7d7d918bf6e6f402f87aeb3b61 [localhost/twistlock/private:console_21_04_412]
Benchmark URLscap-security-guide-0.1.54/ssg-rhel8-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version0.1.54
Profile IDxccdf_org.ssgproject.content_profile_stig
Started at2021-04-23T21:30:54
Finished at2021-04-23T21:30:54
Performed bypfox
Test systemcpe:/a:redhat:openscap:1.3.2

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.0.1.4
  • IPv4  10.88.0.1
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:20d:3aff:fe7e:3ad7
  • IPv6  fe80:0:0:0:8ca9:d5ff:fee2:7217
  • IPv6  fe80:0:0:0:b485:62ff:feb9:270
  • MAC  00:00:00:00:00:00
  • MAC  00:0D:3A:7E:3A:D7
  • MAC  8E:A9:D5:E2:72:17
  • MAC  B6:85:62:B9:02:70

Compliance and Scoring

The target system did not satisfy the conditions of 37 rules! Please review rule results and consider applying remediation.

Rule results

28 passed
37 failed
3 other

Severity of failed rules

3 other
2 low
31 medium
1 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default45.428238100.000000
45.43%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 37x fail 3x notchecked
System Settings 34x fail 3x notchecked
Installing and Maintaining Software 12x fail
System and Software Integrity 1x fail
Software Integrity Checking
Verify Integrity with AIDE
Install AIDEmedium
notapplicable
Federal Information Processing Standard (FIPS)
Enable FIPS Modehigh
notapplicable
Enable Dracut FIPS Modulemedium
notapplicable
System Cryptographic Policies 1x fail
Install crypto-policies packagemedium
pass
Configure session renegotiation for SSH clientmedium
fail
Configure System Cryptography Policyhigh
pass
Configure Libreswan to use System Crypto Policymedium
pass
OpenSSL uses strong entropy sourcemedium
pass
Configure SSH to use System Crypto Policymedium
pass
Configure Kerberos to use System Crypto Policymedium
pass
Configure OpenSSL library to use System Crypto Policymedium
pass
Configure BIND to use System Crypto Policymedium
pass
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supportedhigh
pass
Disk Partitioning
Ensure /home Located On Separate Partitionlow
notapplicable
Encrypt Partitionshigh
notapplicable
Ensure /var/log/audit Located On Separate Partitionlow
notapplicable
Ensure /var Located On Separate Partitionlow
notapplicable
Ensure /var/log Located On Separate Partitionmedium
notapplicable
GNOME Desktop Environment
Make sure that the dconf databases are up-to-date with regards to respective keyfileshigh
notapplicable
Sudo 1x fail
Install sudo Packagemedium
fail
Updating Software 4x fail
Install dnf-automatic Packagemedium
fail
Ensure gpgcheck Enabled In Main yum Configurationhigh
notapplicable
Ensure gpgcheck Enabled for Local Packageshigh
notapplicable
Enable dnf-automatic Timermedium
fail
Configure dnf-automatic to Install Available Updates Automaticallymedium
fail
Ensure Red Hat GPG Key Installedhigh
pass
Ensure yum Removes Previous Package Versionslow
notapplicable
Configure dnf-automatic to Install Only Security Updateslow
fail
Ensure gpgcheck Enabled for All yum Package Repositorieshigh
pass
System Tooling / Utilities 6x fail
Install dnf-plugin-subscription-manager Packagemedium
fail
Ensure gnutls-utils is installedmedium
fail
Install libcap-ng-utils Packagemedium
fail
Install openscap-scanner Packagemedium
fail
Install scap-security-guide Packagemedium
fail
Install subscription-manager Packagemedium
fail
Uninstall abrt-addon-ccpp Packagelow
pass
Uninstall abrt-addon-kerneloops Packagelow
pass
Uninstall abrt-addon-python Packagelow
pass
Uninstall abrt-cli Packagelow
pass
Uninstall abrt-plugin-logger Packagelow
pass
Uninstall abrt-plugin-rhtsupport Packagelow
pass
Uninstall abrt-plugin-sosreport Packagelow
pass
Uninstall gssproxy Packagelow
pass
Uninstall iprutils Packagelow
pass
Uninstall krb5-workstation Packagemedium
pass
Account and Access Control 19x fail 3x notchecked
Warning Banners for System Accesses 1x fail
Enable GNOME3 Login Warning Bannermedium
notapplicable
Modify the System Login Bannermedium
fail
Protect Accounts by Configuring PAM 15x fail
Set Lockouts for Failed Password Attempts 5x fail
Set Lockout Time for Failed Password Attemptsmedium
fail
Set Deny For Failed Password Attemptsmedium
fail
Set Interval For Counting Failed Password Attemptsmedium
fail
Enforce pam_faillock for Local Accounts Onlymedium
fail
Limit Password Reusemedium
fail
Set Password Quality Requirements 10x fail
Set Password Quality Requirements with pam_pwquality 10x fail
Set Password Maximum Consecutive Repeating Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Lengthmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Different Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Enforce for root Usermedium
fail
Ensure PAM Enforces Password Requirements - Minimum Special Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Onlymedium
fail
Protect Physical Console Access 1x fail
Configure Screen Locking
Configure Smart Card Certificate Status Checkingmedium
notapplicable
Configure Console Screen Locking
Install the tmux Packagemedium
notapplicable
Configure tmux to lock session after inactivitymedium
notapplicable
Configure the tmux Lock Commandmedium
notapplicable
Support session locking with tmuxmedium
notapplicable
Prevent user from disabling the screen lockmedium
notapplicable
Disable debug-shell SystemD Servicemedium
notapplicable
Require Authentication for Single User Modemedium
notapplicable
Disable Ctrl-Alt-Del Reboot Activationhigh
notapplicable
Disable Ctrl-Alt-Del Burst Actionhigh
fail
Verify that Interactive Boot is Disabledmedium
notapplicable
Protect Accounts by Restricting Password-Based Login 1x fail 3x notchecked
Restrict Root Logins 1x fail
Enforce usage of pam_wheel for su authenticationmedium
fail
Verify Proper Storage and Existence of Password Hashes
Prevent Login to Accounts With Empty Passwordhigh
pass
Set Password Expiration Parameters 2x notchecked
Set Existing Passwords Minimum Agemedium
notchecked
Set Existing Passwords Maximum Agemedium
notchecked
Secure Session Configuration Files for Login Accounts 1x fail
Ensure that Users Have Sensible Umask Values
Ensure the Default C Shell Umask is Set Correctlyunknown
pass
Ensure the Default Bash Umask is Set Correctlyunknown
pass
Ensure the Default Umask is Set Correctly in /etc/profileunknown
pass
Limit the Number of Concurrent Login Sessions Allowed Per Userlow
fail
System Accounting with auditd
System Accounting with auditd
Configure auditing of unsuccessful file modificationsmedium
notapplicable
Configure auditing of unsuccessful file creationsmedium
notapplicable
Configure auditing of unsuccessful permission changesmedium
notapplicable
Configure auditing of successful file accessesmedium
notapplicable
Configure auditing of unsuccessful file deletionsmedium
notapplicable
Configure basic parameters of Audit systemmedium
notapplicable
Configure auditing of unsuccessful file accessesmedium
notapplicable
Configure auditing of successful file deletionsmedium
notapplicable
Configure auditing of unsuccessful ownership changesmedium
notapplicable
Configure auditing of loading and unloading of kernel modulesmedium
notapplicable
Perform general configuration of Audit for OSPPmedium
notapplicable
Configure auditing of successful permission changesmedium
notapplicable
Configure auditing of successful file modificationsmedium
notapplicable
Configure auditing of successful ownership changesmedium
notapplicable
Configure auditing of successful file creationsmedium
notapplicable
Configure auditd Data Retention
Set hostname as computer node name in audit logsmedium
notapplicable
Write Audit Logs to the Diskmedium
notapplicable
Resolve information before writing to audit logsmedium
notapplicable
Configure auditd to use audispd's syslog pluginmedium
notapplicable
Configure auditd flush prioritymedium
notapplicable
Set number of records to cause an explicit flush to audit logsmedium
notapplicable
Include Local Events in Audit Logsmedium
notapplicable
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify User/Group Information - /etc/passwdmedium
notapplicable
Install audispd-plugins Packagemedium
notapplicable
Ensure the audit Subsystem is Installedmedium
notapplicable
Enable auditd Servicemedium
notapplicable
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
notapplicable
Extend Audit Backlog Limit for the Audit Daemonmedium
notapplicable
File Permissions and Masks 3x fail
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Mounting of cramfslow
notapplicable
Restrict Partition Mount Options
Add nosuid Option to /var/log/auditmedium
notapplicable
Add nosuid Option to /var/tmpunknown
notapplicable
Add nosuid Option to /tmpunknown
notapplicable
Add noexec Option to /tmpunknown
notapplicable
Add nosuid Option to /bootmedium
notapplicable
Add nodev Option to /var/tmpunknown
notapplicable
Add nosuid Option to /var/logmedium
notapplicable
Add nodev Option to /bootmedium
notapplicable
Add nodev Option to /dev/shmlow
notapplicable
Add nodev Option to /tmpunknown
notapplicable
Add noexec Option to /dev/shmlow
notapplicable
Add nodev Option to /var/logmedium
notapplicable
Add noexec Option to /var/logmedium
notapplicable
Add noexec Option to /var/tmpunknown
notapplicable
Add nosuid Option to /homemedium
notapplicable
Add nodev Option to /varmedium
notapplicable
Add noexec Option to /var/log/auditmedium
notapplicable
Add nodev Option to Non-Root Local Partitionsunknown
notapplicable
Add nodev Option to /var/log/auditmedium
notapplicable
Add nosuid Option to /dev/shmlow
notapplicable
Add nodev Option to /homeunknown
notapplicable
Restrict Programs from Dangerous Execution Patterns 3x fail
Memory Poisoning
Enable page allocator poisoningmedium
notapplicable
Enable SLUB/SLAB allocator poisoningmedium
notapplicable
Enable ExecShield
Restrict Exposed Kernel Pointer Addresses Accessmedium
notapplicable
Disable Core Dumps 3x fail
Disable acquiring, saving, and processing core dumpsunknown
notapplicable
Disable Core Dumps for All Usersunknown
fail
Disable core dump backtracesunknown
fail
Disable storing core dumpunknown
fail
Restrict Access to Kernel Message Buffermedium
notapplicable
Disable Kernel Image Loadingmedium
notapplicable
Disable the use of user namespacesinfo
notapplicable
Disable storing core dumpsunknown
notapplicable
Disable Access to Network bpf() Syscall From Unprivileged Processesmedium
notapplicable
Restrict usage of ptrace to descendant processesmedium
notapplicable
Disallow kernel profiling by unprivileged usersmedium
notapplicable
Harden the operation of the BPF just-in-time compilermedium
notapplicable
Verify Permissions on Important Files and Directories
GRUB2 bootloader configuration
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Passwordhigh
notapplicable
Enable Kernel Page-Table Isolation (KPTI)high
notapplicable
Disable vsyscallsinfo
notapplicable
Configure kernel to trust the CPU random number generatormedium
notapplicable
Configure Syslog
Rsyslog Logs Sent To Remote Host
Configure TLS for rsyslog remote loggingmedium
notapplicable
Configure CA certificate for rsyslog remote loggingmedium
notapplicable
Ensure rsyslog-gnutls is installedmedium
notapplicable
Ensure rsyslog is Installedmedium
notapplicable
Network Configuration and Firewalls
Wireless Networking
Disable Wireless Through Software Configuration
Disable Bluetooth Kernel Modulemedium
notapplicable
Uncommon Network Protocols
Disable CAN Supportmedium
notapplicable
Disable IEEE 1394 (FireWire) Supportmedium
notapplicable
Disable TIPC Supportmedium
notapplicable
Disable ATM Supportmedium
notapplicable
Disable SCTP Supportmedium
notapplicable
firewalld
Inspect and Activate Default firewalld Rules
Install firewalld Packagemedium
notapplicable
Verify firewalld Enabledmedium
notapplicable
IPv6
Configure IPv6 Settings if Necessary
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
notapplicable
Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
notapplicable
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
notapplicable
Configure Accepting Router Advertisements on All IPv6 Interfacesunknown
notapplicable
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultunknown
notapplicable
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
notapplicable
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesmedium
notapplicable
Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
notapplicable
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
notapplicable
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
notapplicable
Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
notapplicable
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
notapplicable
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesmedium
notapplicable
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
notapplicable
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
notapplicable
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
notapplicable
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
notapplicable
Network Parameters for Hosts Only
Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesmedium
notapplicable
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
notapplicable
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
notapplicable
SELinux
Install policycoreutils-python-utils packagemedium
notapplicable
Install policycoreutils Packagehigh
notapplicable
Ensure SELinux State is Enforcingmedium
notapplicable
Configure SELinux Policymedium
notapplicable
Services 3x fail
System Security Services Daemon
Enable Smartcards in SSSDmedium
notapplicable
Configure SSSD to Expire Offline Credentialsmedium
notapplicable
Mail Server Software
Uninstall Sendmail Packagemedium
notapplicable
SSH Server
Configure OpenSSH Server if Necessary
Set SSH Client Alive Count Maxmedium
notapplicable
Enable SSH Warning Bannermedium
notapplicable
Disable GSSAPI Authenticationmedium
notapplicable
Disable Host-Based Authenticationmedium
notapplicable
Force frequent session key renegotiationmedium
notapplicable
Disable SSH Access via Empty Passwordshigh
notapplicable
SSH server uses strong entropy to seedmedium
notapplicable
Disable Kerberos Authenticationmedium
notapplicable
Enable Use of Strict Mode Checkingmedium
notapplicable
Set SSH Idle Timeout Intervalmedium
notapplicable
Configure OpenSSH Client if Necessary
SSH client uses strong entropy to seed (for CSH like shells)medium
notapplicable
SSH client uses strong entropy to seed (Bash-like shells)medium
notapplicable
Install OpenSSH client softwaremedium
notapplicable
Install the OpenSSH Server Packagemedium
notapplicable
Network Time Protocol
The Chrony package is installedmedium
notapplicable
Disable network management of chrony daemonunknown
notapplicable
Disable chrony daemon from acting as serverunknown
notapplicable
Application Whitelisting Daemon
Install fapolicyd Packagemedium
notapplicable
Enable the File Access Policy Servicemedium
notapplicable
Base Services
Uninstall Automatic Bug Reporting Tool (abrt)medium
pass
Disable KDump Kernel Crash Analyzer (kdump)medium
notapplicable
NFS and RPC
Uninstall nfs-utils Packagelow
pass
Kerberos
Disable Kerberos by removing host keytabmedium
notapplicable
USBGuard daemon 3x fail
Install usbguard Packagemedium
fail
Enable the USBGuard Servicemedium
notapplicable
Authorize Human Interface Devices and USB hubs in USBGuard daemonmedium
fail
Log USBGuard daemon audit events using Linux Auditmedium
fail

Result Details

Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4

Install AIDE

Rule IDxccdf_org.ssgproject.content_rule_package_aide_installed
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80844-4

References:  1.4.1, 5.10.1.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, BP28(R51), SRG-OS-000363-GPOS-00150, 1034, 1288, 1341, 1417

Description

The aide package can be installed with the following command:

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-80942-6

Enable FIPS Mode

Rule IDxccdf_org.ssgproject.content_rule_enable_fips_mode
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80942-6

References:  CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, 1446

Description

To enable FIPS mode, run the following command:

fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • Loading the Dracut fips module
Furthermore, the system running in FIPS mode should be FIPS certified by NIST.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module mediumCCE-82155-3

Enable Dracut FIPS Module

Rule IDxccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82155-3

References:  CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SRG-OS-000478-GPOS-00223, 1446

Description

To enable FIPS mode, run the following command:

fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Install crypto-policies packagexccdf_org.ssgproject.content_rule_package_crypto-policies_installed mediumCCE-82723-8

Install crypto-policies package

Rule IDxccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_crypto-policies_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82723-8

References:  FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Description

The crypto-policies package can be installed with the following command:

$ sudo yum install crypto-policies

Rationale

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

OVAL test results details

package crypto-policies is installed  oval:ssg-test_package_crypto-policies_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
crypto-policiesnoarch(none)1.gitbfb6bed.el8_3202102090:20210209-1.gitbfb6bed.el8_3199e2f91fd431d51crypto-policies-0:20210209-1.gitbfb6bed.el8_3.noarch
Configure session renegotiation for SSH clientxccdf_org.ssgproject.content_rule_ssh_client_rekey_limit mediumCCE-82880-6

Configure session renegotiation for SSH client

Rule IDxccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-ssh_client_rekey_limit:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82880-6

References:  FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187

Description

The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit 1G 1h to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.





var_ssh_client_rekey_limit_size="1G"

var_ssh_client_rekey_limit_time="1h"



main_config="/etc/ssh/ssh_config"
include_directory="/etc/ssh/ssh_config.d"

if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
  sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
fi

for file in "$include_directory"/*.conf; do
  if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
    sed -i '/^[\s]*RekeyLimit.*/d' "$file"
  fi
done

if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then
    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
else
    touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
fi
cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"
# Insert at the end of the file
printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
# Clean up after ourselves.
rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"


Complexity:low
Disruption:low
Strategy:configure
- name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_size: !!str 1G
  tags:
    - always
- name: XCCDF Value var_ssh_client_rekey_limit_time # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_time: !!str 1h
  tags:
    - always

- name: Ensure RekeyLimit is not configured in /etc/ssh/ssh_config
  lineinfile:
    path: /etc/ssh/ssh_config
    create: false
    regexp: ^\s*RekeyLimit.*$
    state: absent
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Collect all include config files for ssh client which configure RekeyLimit
  find:
    paths: /etc/ssh/ssh_config.d/
    contains: ^[\s]*RekeyLimit.*$
    patterns: '*.config'
  register: ssh_config_include_files
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Remove all occurences of RekeyLimit configuration from include config files
    of ssh client
  lineinfile:
    path: '{{ item }}'
    regexp: ^[\s]*RekeyLimit.*$
    state: absent
  loop: '{{ ssh_config_include_files.files }}'
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit

- name: Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{
    var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf
  lineinfile:
    path: /etc/ssh/ssh_config.d/02-rekey-limit.conf
    create: true
    regexp: ^\s*RekeyLimit.*$
    line: RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time
      }}
    state: present
  tags:
    - CCE-82880-6
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - ssh_client_rekey_limit
OVAL test results details

tests the value of RekeyLimit setting in /etc/ssh/ssh_config file  oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/ssh_config^[\s]*RekeyLimit.*$1

tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf  oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1 of type textfilecontent54_object
FilepathPatternInstance
1h
1G
^[\s]*RekeyLimit[\s]+1G[\s]+1h[\s]*$
^/etc/ssh/ssh_config\.d/.*\.conf$1
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0

Configure System Cryptography Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_crypto_policy:def:1
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80935-0

References:  AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, 1446

Description

To configure the system cryptography policy to use ciphers only from the FIPS:OSPP policy, run the following command:

$ sudo update-crypto-policies --set FIPS:OSPP
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Rationale

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/configFIPS:OSPP

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/state/currentFIPS:OSPP

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_crypto_policies_config_file_timestamp:var:11619002873

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/crypto-policies/back-ends/nss.configregular00328rw-r--r-- 
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy mediumCCE-80937-6

Configure Libreswan to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_libreswan_crypto_policy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80937-6

References:  CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000033-GPOS-00014, FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config

Rationale

Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package libreswan is installed  oval:ssg-test_package_libreswan_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
Name
libreswan

Check that the libreswan configuration includes the crypto policy config file  oval:ssg-test_configure_libreswan_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ipsec.conf^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$1
OpenSSL uses strong entropy sourcexccdf_org.ssgproject.content_rule_openssl_use_strong_entropy mediumCCE-82721-2

OpenSSL uses strong entropy source

Rule IDxccdf_org.ssgproject.content_rule_openssl_use_strong_entropy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-openssl_use_strong_entropy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82721-2

References:  FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00227, 1277, 1552

Description

By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is to setup a wrapper that defines a shell function that shadows the actual openssl binary, and that ensures that the -rand /dev/random option is added to every openssl invocation. To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh:

# provide a default -rand /dev/random option to openssl commands that
# support it

# written inefficiently for maximum shell compatibility
openssl()
(
  openssl_bin=/usr/bin/openssl

  case "$*" in
    # if user specified -rand, honor it
    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
  esac

  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
  for i in `$openssl_bin list -commands`; do
    if $openssl_bin list -options "$i" | grep -q '^rand '; then
      cmds=" $i $cmds"
    fi
  done

  case "$cmds" in
    *\ "$1"\ *)
      cmd="$1"; shift
      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
  esac

  exec $openssl_bin "$@"
)

Rationale

This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior.

Warnings
warning  This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available.
OVAL test results details

Test if openssl is configured to generate random data with strong entropy  oval:ssg-test_openssl_strong_entropy:tst:1  true

Following items have been found on the system:
FilepathPathFilenameHash typeHash
/etc/profile.d/openssl-rand.sh/etc/profile.dopenssl-rand.shSHA-2566488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-80939-2

Configure SSH to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_ssh_crypto_policy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80939-2

References:  AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, 5.2.20, SRG-OS-000250-GPOS-00093

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.

Rationale

Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_ssh_crypto_policy:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysconfig/sshd^\s*CRYPTO_POLICY\s*=.*$1
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy mediumCCE-80936-8

Configure Kerberos to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_kerberos_crypto_policy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80936-8

References:  SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, 0418, 1055, 1402

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.

Rationale

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file  oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1  error

Following items have been found on the system:
Var refValue
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/etc/crypto-policies/back-ends/krb5.config

Check if kerberos configuration symlink links to the crypto-policy backend file  oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/etc/crypto-policies/back-ends/krb5.config
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-80938-4

Configure OpenSSL library to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_openssl_crypto_policy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80938-4

References:  AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.

Rationale

Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/pki/tls/openssl.cnf [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy mediumCCE-80934-3

Configure BIND to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_bind_crypto_policy:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80934-3

References:  SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";

Rationale

Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package bind is removed  oval:ssg-test_package_bind_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object
Name
bind

Check that the configuration includes the policy config file.  oval:ssg-test_configure_bind_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/named.conf^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$1
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported highCCE-80947-5

The Installed Operating System Is Vendor Supported

Rule IDxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-installed_OS_is_vendor_supported:def:1
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80947-5

References:  CCI-000366, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4, RHEL-08-010000, SV-230221r599732_rule

Description

The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches.

Rationale

An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.

Warnings
warning  There is no remediation besides switching to a different operating system.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-81044-0

References:  BP28(R12), 1.1.13, CCI-000366, CCI-001208, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-80789-1

Encrypt Partitions

Rule IDxccdf_org.ssgproject.content_rule_encrypt_partitions
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80789-1

References:  3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000404-VMM-001650, SRG-OS-000405-VMM-001660, SR 3.4, SR 4.1, SR 5.2, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 13, 14

Description

Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.

Rationale

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-80854-3

References:  1.1.12, CCI-000366, CCI-001849, 164.312(a)(2)(ii), A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-80852-7

References:  BP28(R12), 1.1.6, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log mediumCCE-80853-5

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80853-5

References:  BP28(R12), BP28(R47), 1.1.11, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, 1, 12, 14, 15, 16, 3, 5, 6, 8, SRG-OS-000480-GPOS-00227

Description

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date highCCE-81003-6

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

Rule IDxccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-81003-6

References:  SRG-OS-000480-GPOS-00227

Description

By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the

dconf update
command.

Rationale

Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.

Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82214-8

Install sudo Package

Rule IDxccdf_org.ssgproject.content_rule_package_sudo_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_sudo_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82214-8

References:  CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1, 1382, 1384, 1386

Description

The sudo package can be installed with the following command:

$ sudo yum install sudo

Rationale

sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "sudo" ; then
    yum install -y "sudo"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
  package:
    name: sudo
    state: present
  tags:
    - CCE-82214-8
    - NIST-800-53-CM-6(a)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_sudo_installed


Complexity:low
Disruption:low
Strategy:enable
include install_sudo

class install_sudo {
  package { 'sudo':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=sudo
OVAL test results details

package sudo is installed  oval:ssg-test_package_sudo_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sudo_installed:obj:1 of type rpminfo_object
Name
sudo
Install dnf-automatic Packagexccdf_org.ssgproject.content_rule_package_dnf-automatic_installed mediumCCE-82985-3

Install dnf-automatic Package

Rule IDxccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_dnf-automatic_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82985-3

References:  SRG-OS-000191-GPOS-00080

Description

The dnf-automatic package can be installed with the following command:

$ sudo yum install dnf-automatic

Rationale

dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "dnf-automatic" ; then
    yum install -y "dnf-automatic"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
  package:
    name: dnf-automatic
    state: present
  tags:
    - CCE-82985-3
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_dnf-automatic_installed


Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic

class install_dnf-automatic {
  package { 'dnf-automatic':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=dnf-automatic
OVAL test results details

package dnf-automatic is installed  oval:ssg-test_package_dnf-automatic_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object
Name
dnf-automatic
Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9

Ensure gpgcheck Enabled In Main yum Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80790-9

References:  1.2.4, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)

Description

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Rationale

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7

Ensure gpgcheck Enabled for Local Packages

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80791-7

References:  3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, BP28(R15)

Description

yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Rationale

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Enable dnf-automatic Timerxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled mediumCCE-82360-9

Enable dnf-automatic Timer

Rule IDxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-timer_dnf-automatic_enabled:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82360-9

References:  FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080

Description

The dnf-automatic timer can be enabled with the following command:

$ sudo systemctl enable dnf-automatic.timer

Rationale

The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer.



Complexity:low
Disruption:low
Strategy:enable

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer'


Complexity:low
Disruption:low
Strategy:enable
- name: Enable timer dnf-automatic
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable timer dnf-automatic
      systemd:
        name: dnf-automatic.timer
        enabled: 'yes'
        state: started
      when:
        - '"dnf-automatic" in ansible_facts.packages'
  tags:
    - CCE-82360-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - timer_dnf-automatic_enabled
OVAL test results details

package dnf-automatic is installed  oval:ssg-test_package_dnf-automatic_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object
Name
dnf-automatic

Test that the dnf-automatic timer is running  oval:ssg-test_timer_running_dnf-automatic:tst:1  not applicable

No items have been found conforming to the following objects:
Object oval:ssg-obj_timer_running_dnf-automatic:obj:1 of type systemdunitproperty_object
UnitProperty
dnf-automatic\.timerActiveState

systemd test  oval:ssg-test_multi_user_wants_dnf-automatic:tst:1  not applicable

No items have been found conforming to the following objects:
Object oval:ssg-object_multi_user_target_for_dnf-automatic_enabled:obj:1 of type systemdunitdependency_object
Unit
multi-user.target
Configure dnf-automatic to Install Available Updates Automaticallyxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates mediumCCE-82494-6

Configure dnf-automatic to Install Available Updates Automatically

Rule IDxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-dnf-automatic_apply_updates:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82494-6

References:  FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.

Rationale

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.




CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*apply_updates"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and apply_updates in automatic.conf, if it exists, set
# to yes, if it isn't here, add it, if [commands] doesn't exist, add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a apply_updates = yes" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\napply_updates = yes" >> $CONF
fi


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: apply_updates
    value: 'yes'
    create: true
  tags:
    - CCE-82494-6
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - dnf-automatic_apply_updates
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy
OVAL test results details

tests the value of apply_updates setting in the /etc/dnf/automatic.conf file  oval:ssg-test_dnf-automatic_apply_updates:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_apply_updates:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/dnf/automatic.conf^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates  oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_apply_updates_config_file:obj:1 of type file_object
Filepath
^/etc/dnf/automatic.conf
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8

Ensure Red Hat GPG Key Installed

Rule IDxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_redhat_gpgkey_installed:def:1
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80795-8

References:  SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)

Description

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Rationale

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)1.0.el88.30:8.3-1.0.el8199e2f91fd431d51redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Red Hat release key package is installed  oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)

Red Hat auxiliary key package is installed  oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Check os-release ID  oval:ssg-test_centos8_name:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

Check os-release ID  oval:ssg-test_centos8_name:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Check os-release ID  oval:ssg-test_centos8_name:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

Check os-release ID  oval:ssg-test_centos8_name:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

CentOS8 key package is installed  oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)
Ensure yum Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-82476-3

Ensure yum Removes Previous Package Versions

Rule IDxccdf_org.ssgproject.content_rule_clean_components_post_updating
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82476-3

References:  3.4.8, CCI-002617, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, SRG-OS-000437-VMM-001760, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4

Description

yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf.

Rationale

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-82267-6

Configure dnf-automatic to Install Only Security Updates

Rule IDxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-dnf-automatic_security_updates_only:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82267-6

References:  FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080

Description

To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf.

Rationale

By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.




CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*upgrade_type"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and upgrade_type in automatic.conf, if it exists, set
# it to security, if it isn't here, add it, if [commands] doesn't exist,
# add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a upgrade_type = security" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\nupgrade_type = security" >> $CONF
fi


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: upgrade_type
    value: security
    create: true
  tags:
    - CCE-82267-6
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - dnf-automatic_security_updates_only
    - low_complexity
    - low_severity
    - medium_disruption
    - no_reboot_needed
    - unknown_strategy
OVAL test results details

tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file  oval:ssg-test_dnf-automatic_security_updates_only:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_security_updates_only:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/dnf/automatic.conf^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only  oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1 of type file_object
Filepath
^/etc/dnf/automatic.conf
Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5

Ensure gpgcheck Enabled for All yum Package Repositories

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_never_disabled:def:1
Time2021-04-23T21:30:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80792-5

References:  SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15)

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files  oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/yum.repos.d.*^\s*gpgcheck\s*=\s*0\s*$1
Install dnf-plugin-subscription-manager Packagexccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed mediumCCE-82315-3

Install dnf-plugin-subscription-manager Package

Rule IDxccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_dnf-plugin-subscription-manager_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82315-3

References:  FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

The dnf-plugin-subscription-manager package can be installed with the following command:

$ sudo yum install dnf-plugin-subscription-manager

Rationale

This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
    yum install -y "dnf-plugin-subscription-manager"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-plugin-subscription-manager is installed
  package:
    name: dnf-plugin-subscription-manager
    state: present
  tags:
    - CCE-82315-3
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_dnf-plugin-subscription-manager_installed


Complexity:low
Disruption:low
Strategy:enable
include install_dnf-plugin-subscription-manager

class install_dnf-plugin-subscription-manager {
  package { 'dnf-plugin-subscription-manager':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=dnf-plugin-subscription-manager
OVAL test results details

package dnf-plugin-subscription-manager is installed  oval:ssg-test_package_dnf-plugin-subscription-manager_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-plugin-subscription-manager_installed:obj:1 of type rpminfo_object
Name
dnf-plugin-subscription-manager
Ensure gnutls-utils is installedxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed mediumCCE-82395-5

Ensure gnutls-utils is installed

Rule IDxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_gnutls-utils_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82395-5

References:  FIA_X509_EXT, SRG-OS-000480-GPOS-00227

Description

The gnutls-utils package can be installed with the following command:

$ sudo yum install gnutls-utils

Rationale

GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "gnutls-utils" ; then
    yum install -y "gnutls-utils"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure gnutls-utils is installed
  package:
    name: gnutls-utils
    state: present
  tags:
    - CCE-82395-5
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_gnutls-utils_installed


Complexity:low
Disruption:low
Strategy:enable
include install_gnutls-utils

class install_gnutls-utils {
  package { 'gnutls-utils':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=gnutls-utils
OVAL test results details

package gnutls-utils is installed  oval:ssg-test_package_gnutls-utils_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gnutls-utils_installed:obj:1 of type rpminfo_object
Name
gnutls-utils
Install libcap-ng-utils Packagexccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed mediumCCE-82979-6

Install libcap-ng-utils Package

Rule IDxccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_libcap-ng-utils_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82979-6

References:  SRG-OS-000445-GPOS-00199

Description

The libcap-ng-utils package can be installed with the following command:

$ sudo yum install libcap-ng-utils

Rationale

libcap-ng-utils contains applications to analyze the posix posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "libcap-ng-utils" ; then
    yum install -y "libcap-ng-utils"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure libcap-ng-utils is installed
  package:
    name: libcap-ng-utils
    state: present
  tags:
    - CCE-82979-6
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_libcap-ng-utils_installed


Complexity:low
Disruption:low
Strategy:enable
include install_libcap-ng-utils

class install_libcap-ng-utils {
  package { 'libcap-ng-utils':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=libcap-ng-utils
OVAL test results details

package libcap-ng-utils is installed  oval:ssg-test_package_libcap-ng-utils_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libcap-ng-utils_installed:obj:1 of type rpminfo_object
Name
libcap-ng-utils
Install openscap-scanner Packagexccdf_org.ssgproject.content_rule_package_openscap-scanner_installed mediumCCE-82220-5

Install openscap-scanner Package

Rule IDxccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_openscap-scanner_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82220-5

References:  SRG-OS-000480-GPOS-00227, SRG-OS-000191-GPOS-00080

Description

The openscap-scanner package can be installed with the following command:

$ sudo yum install openscap-scanner

Rationale

openscap-scanner contains the oscap command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "openscap-scanner" ; then
    yum install -y "openscap-scanner"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure openscap-scanner is installed
  package:
    name: openscap-scanner
    state: present
  tags:
    - CCE-82220-5
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_openscap-scanner_installed


Complexity:low
Disruption:low
Strategy:enable
include install_openscap-scanner

class install_openscap-scanner {
  package { 'openscap-scanner':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=openscap-scanner
OVAL test results details

package openscap-scanner is installed  oval:ssg-test_package_openscap-scanner_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openscap-scanner_installed:obj:1 of type rpminfo_object
Name
openscap-scanner
Install scap-security-guide Packagexccdf_org.ssgproject.content_rule_package_scap-security-guide_installed mediumCCE-82949-9

Install scap-security-guide Package

Rule IDxccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_scap-security-guide_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82949-9

References:  SRG-OS-000480-GPOS-00227

Description

The scap-security-guide package can be installed with the following command:

$ sudo yum install scap-security-guide

Rationale

The scap-security-guide package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the oscap CLI tool from the openscap-scanner package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "scap-security-guide" ; then
    yum install -y "scap-security-guide"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure scap-security-guide is installed
  package:
    name: scap-security-guide
    state: present
  tags:
    - CCE-82949-9
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_scap-security-guide_installed


Complexity:low
Disruption:low
Strategy:enable
include install_scap-security-guide

class install_scap-security-guide {
  package { 'scap-security-guide':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=scap-security-guide
OVAL test results details

package scap-security-guide is installed  oval:ssg-test_package_scap-security-guide_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_scap-security-guide_installed:obj:1 of type rpminfo_object
Name
scap-security-guide
Install subscription-manager Packagexccdf_org.ssgproject.content_rule_package_subscription-manager_installed mediumCCE-82316-1

Install subscription-manager Package

Rule IDxccdf_org.ssgproject.content_rule_package_subscription-manager_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_subscription-manager_installed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82316-1

References:  SRG-OS-000366-GPOS-00153, FPT_TUD_EXT.1, FPT_TUD_EXT.2, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495

Description

The subscription-manager package can be installed with the following command:

$ sudo yum install subscription-manager

Rationale

Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum.



Complexity:low
Disruption:low
Strategy:enable

if ! rpm -q --quiet "subscription-manager" ; then
    yum install -y "subscription-manager"
fi


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure subscription-manager is installed
  package:
    name: subscription-manager
    state: present
  tags:
    - CCE-82316-1
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_subscription-manager_installed


Complexity:low
Disruption:low
Strategy:enable
include install_subscription-manager

class install_subscription-manager {
  package { 'subscription-manager':
    ensure => 'installed',
  }
}


Complexity:low
Disruption:low
Strategy:enable

package --add=subscription-manager
OVAL test results details

package subscription-manager is installed  oval:ssg-test_package_subscription-manager_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_subscription-manager_installed:obj:1 of type rpminfo_object
Name
subscription-manager
Uninstall abrt-addon-ccpp Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed lowCCE-82919-2

Uninstall abrt-addon-ccpp Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-addon-ccpp_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82919-2

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-addon-ccpp package can be removed with the following command:

$ sudo yum erase abrt-addon-ccpp

Rationale

abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin.

OVAL test results details

package abrt-addon-ccpp is removed  oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object
Name
abrt-addon-ccpp
Uninstall abrt-addon-kerneloops Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed lowCCE-82926-7

Uninstall abrt-addon-kerneloops Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-addon-kerneloops_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82926-7

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-addon-kerneloops package can be removed with the following command:

$ sudo yum erase abrt-addon-kerneloops

Rationale

abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.

OVAL test results details

package abrt-addon-kerneloops is removed  oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object
Name
abrt-addon-kerneloops
Uninstall abrt-addon-python Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed lowCCE-82923-4

Uninstall abrt-addon-python Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-addon-python_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82923-4

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-addon-python package can be removed with the following command:

$ sudo yum erase abrt-addon-python

Rationale

abrt-addon-python contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.

OVAL test results details

package abrt-addon-python is removed  oval:ssg-test_package_abrt-addon-python_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1 of type rpminfo_object
Name
abrt-addon-python
Uninstall abrt-cli Packagexccdf_org.ssgproject.content_rule_package_abrt-cli_removed lowCCE-82907-7

Uninstall abrt-cli Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-cli_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-cli_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82907-7

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-cli package can be removed with the following command:

$ sudo yum erase abrt-cli

Rationale

abrt-cli contains a command line client for controlling abrt daemon over sockets.

OVAL test results details

package abrt-cli is removed  oval:ssg-test_package_abrt-cli_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object
Name
abrt-cli
Uninstall abrt-plugin-logger Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed lowCCE-82913-5

Uninstall abrt-plugin-logger Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-plugin-logger_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82913-5

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-plugin-logger package can be removed with the following command:

$ sudo yum erase abrt-plugin-logger

Rationale

abrt-plugin-logger is an ABRT plugin which writes a report to a specified file.

OVAL test results details

package abrt-plugin-logger is removed  oval:ssg-test_package_abrt-plugin-logger_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1 of type rpminfo_object
Name
abrt-plugin-logger
Uninstall abrt-plugin-rhtsupport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed lowCCE-82916-8

Uninstall abrt-plugin-rhtsupport Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-plugin-rhtsupport_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82916-8

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-plugin-rhtsupport package can be removed with the following command:

$ sudo yum erase abrt-plugin-rhtsupport

Rationale

abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system.

OVAL test results details

package abrt-plugin-rhtsupport is removed  oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1 of type rpminfo_object
Name
abrt-plugin-rhtsupport
Uninstall abrt-plugin-sosreport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed lowCCE-82910-1

Uninstall abrt-plugin-sosreport Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-plugin-sosreport_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82910-1

References:  SRG-OS-000095-GPOS-00049

Description

The abrt-plugin-sosreport package can be removed with the following command:

$ sudo yum erase abrt-plugin-sosreport

Rationale

abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.

OVAL test results details

package abrt-plugin-sosreport is removed  oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object
Name
abrt-plugin-sosreport
Uninstall gssproxy Packagexccdf_org.ssgproject.content_rule_package_gssproxy_removed lowCCE-82943-2

Uninstall gssproxy Package

Rule IDxccdf_org.ssgproject.content_rule_package_gssproxy_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_gssproxy_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82943-2

References:  SRG-OS-000095-GPOS-00049

Description

The gssproxy package can be removed with the following command:

$ sudo yum erase gssproxy

Rationale

gssproxy is a proxy for GSS API credential handling.

OVAL test results details

package gssproxy is removed  oval:ssg-test_package_gssproxy_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
Name
gssproxy
Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed lowCCE-82946-5

Uninstall iprutils Package

Rule IDxccdf_org.ssgproject.content_rule_package_iprutils_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_iprutils_removed:def:1
Time2021-04-23T21:30:54
Severitylow
Identifiers and References

Identifiers:  CCE-82946-5

References:  SRG-OS-000095-GPOS-00049

Description

The iprutils package can be removed with the following command:

$ sudo yum erase iprutils

Rationale

iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.

OVAL test results details

package iprutils is removed  oval:ssg-test_package_iprutils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
Name
iprutils
Uninstall krb5-workstation Packagexccdf_org.ssgproject.content_rule_package_krb5-workstation_removed mediumCCE-82931-7

Uninstall krb5-workstation Package

Rule IDxccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_krb5-workstation_removed:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-82931-7

References:  SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061

Description

The krb5-workstation package can be removed with the following command:

$ sudo yum erase krb5-workstation

Rationale

Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA.

OVAL test results details

package krb5-workstation is removed  oval:ssg-test_package_krb5-workstation_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type rpminfo_object
Name
krb5-workstation
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-80768-5

Enable GNOME3 Login Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result
notapplicable
Multi-check ruleno
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80768-5

References:  1.8.2, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16

Description

In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-80763-6

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_issue:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80763-6

References:  1.8.1.2, 3.1.9, CCI-000048, CCI-000050, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.




login_banner_text="^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$"



# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue
$formatted
EOF


Complexity:low
Disruption:medium
- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
  tags:
    - always

- name: Modify the System Login Banner - remove incorrect banner
  file:
    state: absent
    path: /etc/issue
  tags:
    - CCE-80763-6
    - NIST-800-171-3.1.9
    - NIST-800-53-AC-8(a)
    - NIST-800-53-AC-8(c)
    - banner_etc_issue
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

- name: Modify the System Login Banner - add correct banner
  lineinfile:
    dest: /etc/issue
    line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
    create: true
  tags:
    - CCE-80763-6
    - NIST-800-171-3.1.9
    - NIST-800-53-AC-8(a)
    - NIST-800-53-AC-8(c)
    - banner_etc_issue
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy
OVAL test results details

correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_banner_etc_issue:obj:1 of type textfilecontent54_object
BehaviorsFilepathPatternInstance
no value/etc/issue^(.*)$1
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3

Set Lockout Time for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80670-3

References:  5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561

Description

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user.

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.



# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_accounts_passwords_pam_faillock_unlock_time="0"



AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

for pam_file in "${AUTH_FILES[@]}"
do
    # is auth required pam_faillock.so preauth present?
    if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        fi
    # auth required pam_faillock.so preauth is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
    fi
    # is auth default pam_faillock.so authfail present?
    if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        fi
    # auth default pam_faillock.so authfail is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
    fi
    if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
        sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "$pam_file"
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi


Complexity:low
Disruption:low
Strategy:restrict
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_unlock_time: !!str 0
  tags:
    - always

- name: Add auth pam_faillock preauth unlock_time before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add unlock_time argument to pam_faillock preauth
  pamd:
    name: '{{ item }}'
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: after
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add unlock_time argument to auth pam_faillock authfail
  pamd:
    name: '{{ item }}'
    type: auth
    control: '[default=die]'
    module_path: pam_faillock.so
    module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add account pam_faillock before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: account
    control: required
    module_path: pam_unix.so
    new_type: account
    new_control: required
    new_module_path: pam_faillock.so
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80670-3
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(b)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.7
    - accounts_passwords_pam_faillock_unlock_time
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy
OVAL test results details

Check if external variable unlock time is never  oval:ssg-test_var_faillock_unlock_time_is_never:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:10

Check if unlock time is never  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1

Check if external variable unlock time is never  oval:ssg-test_var_faillock_unlock_time_is_never:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:10

Check if unlock time is never, or greater than or equal external variable  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1
Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9

Set Deny For Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80667-9

References:  5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561

Description

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.



# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_accounts_passwords_pam_faillock_deny="3"



AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

for pam_file in "${AUTH_FILES[@]}"
do
    # is auth required pam_faillock.so preauth present?
    if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        fi
    # auth required pam_faillock.so preauth is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
    fi
    # is auth default pam_faillock.so authfail present?
    if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        fi
    # auth default pam_faillock.so authfail is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
    fi
    if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
        sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "$pam_file"
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi


Complexity:low
Disruption:low
Strategy:restrict
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_deny: !!str 3
  tags:
    - always

- name: Add auth pam_faillock preauth deny before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
      }}
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add deny argument to auth pam_faillock preauth
  pamd:
    name: '{{ item }}'
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add auth pam_faillock authfail deny after pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
    state: after
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add deny argument to auth pam_faillock authfail
  pamd:
    name: '{{ item }}'
    type: auth
    new_type: auth
    control: '[default=die]'
    module_path: pam_faillock.so
    module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Add account pam_faillock before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: account
    control: required
    module_path: pam_unix.so
    new_type: account
    new_control: required
    new_module_path: pam_faillock.so
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - CCE-80667-9
    - CJIS-5.5.3
    - NIST-800-171-3.1.8
    - NIST-800-53-AC-7(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.1.6
    - accounts_passwords_pam_faillock_deny
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy
OVAL test results details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.  oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_system-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]1

Check if pam_faillock.so is called in account phase before pam_unix  oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_system-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]1

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix  oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_password-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]1

Check if pam_faillock_so is called in account phase before pam_unix.  oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_password-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]1

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value  oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin/etc/pam.d/system-auth1

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail  oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_system-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+)1

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value  oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin/etc/pam.d/password-auth1

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.  oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_password-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)1
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5

Set Interval For Counting Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_interval:def:1
Time2021-04-23T21:30:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80669-5

References:  CCI-000044, CCI-002238, CM-6(a),